misc: binary api fuzz test fixes

[vpp.git] / src / plugins / dhcp / dhcp_api.c

diff --git a/src/plugins/dhcp/dhcp_api.c b/src/plugins/dhcp/dhcp_api.c
index 744d838..d2e4235 100644 (file)
--- a/src/plugins/dhcp/dhcp_api.c
+++ b/src/plugins/dhcp/dhcp_api.c
@@ -372,11 +372,17 @@ send_dhcp_client_entry (const dhcp_client_t * client, void *arg)
 {
   dhcp_client_send_walk_ctx_t *ctx;
   vl_api_dhcp_client_details_t *mp;
+  u32 count;
+  size_t n;
 
   ctx = arg;
 
-  mp = vl_msg_api_alloc (sizeof (*mp));
-  clib_memset (mp, 0, sizeof (*mp));
+  count = vec_len (client->domain_server_address);
+  n = sizeof (*mp) + (count * sizeof (vl_api_domain_server_t));
+  mp = vl_msg_api_alloc (n);
+  if (!mp)
+    return 0;
+  clib_memset (mp, 0, n);
 
   mp->_vl_msg_id = ntohs (VL_API_DHCP_CLIENT_DETAILS + REPLY_MSG_ID_BASE);
   mp->context = ctx->context;
@@ -543,6 +549,12 @@ void
   params.T1 = ntohl (mp->T1);
   params.T2 = ntohl (mp->T2);
   n_addresses = ntohl (mp->n_addresses);
+  /* Make sure that the number of addresses is sane */
+  if (n_addresses * sizeof (params.addresses) > vl_msg_api_max_length (mp))
+    {
+      rv = VNET_API_ERROR_INVALID_VALUE;
+      goto bad_sw_if_index;
+    }
   params.addresses = 0;
   if (n_addresses > 0)
     vec_validate (params.addresses, n_addresses - 1);
@@ -587,6 +599,14 @@ void
   params.T1 = ntohl (mp->T1);
   params.T2 = ntohl (mp->T2);
   n_prefixes = ntohl (mp->n_prefixes);
+
+  /* Minimal check to see that the number of prefixes is sane */
+  if (n_prefixes * sizeof (params.prefixes) > vl_msg_api_max_length (mp))
+    {
+      rv = VNET_API_ERROR_INVALID_VALUE;
+      goto bad_sw_if_index;
+    }
+
   params.prefixes = 0;
   if (n_prefixes > 0)
     vec_validate (params.prefixes, n_prefixes - 1);