From: Andrew Yourtchenko <ayourtch@gmail.com>
Date: Thu, 25 Mar 2021 14:13:47 +0000 (+0000)
Subject: acl: fix the integer overflow bug in API message length validation logic
X-Git-Tag: v21.10-rc0~331
X-Git-Url: https://gerrit.fd.io/r/gitweb?a=commitdiff_plain;h=refs%2Fchanges%2F66%2F31766%2F3;p=vpp.git

acl: fix the integer overflow bug in API message length validation logic

Sending the bogus acl_add_replace message with count=~0 will result in
an overflow of "expected_len" field which is a u32, thus the message
will pass the validation when it should not.

Solution - make the expected_len a u64 to avoid overflow.

The bug was found while experimenting with libfuzzer as part of
https://gerrit.fd.io/r/c/vpp/+/31763

Type: fix
Change-Id: I4a866d48f2418148236f1b1d77c487b869c7c43d
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
---

diff --git a/src/plugins/acl/acl.c b/src/plugins/acl/acl.c
index ba4243c6926..dcca2a2c9ba 100644
--- a/src/plugins/acl/acl.c
+++ b/src/plugins/acl/acl.c
@@ -1772,7 +1772,7 @@ macip_acl_interface_add_del_acl (u32 sw_if_index, u8 is_add,
  *
  */
 static int
-verify_message_len (void *mp, u32 expected_len, char *where)
+verify_message_len (void *mp, u64 expected_len, char *where)
 {
   u32 supplied_len = vl_msg_api_get_msg_length (mp);
   if (supplied_len < expected_len)
@@ -1796,7 +1796,7 @@ vl_api_acl_add_replace_t_handler (vl_api_acl_add_replace_t * mp)
   int rv;
   u32 acl_list_index = ntohl (mp->acl_index);
   u32 acl_count = ntohl (mp->count);
-  u32 expected_len = sizeof (*mp) + acl_count * sizeof (mp->r[0]);
+  u64 expected_len = sizeof (*mp) + acl_count * sizeof (mp->r[0]);
 
   if (verify_message_len (mp, expected_len, "acl_add_replace"))
     {
@@ -2085,7 +2085,7 @@ vl_api_macip_acl_add_t_handler (vl_api_macip_acl_add_t * mp)
   int rv;
   u32 acl_list_index = ~0;
   u32 acl_count = ntohl (mp->count);
-  u32 expected_len = sizeof (*mp) + acl_count * sizeof (mp->r[0]);
+  u64 expected_len = sizeof (*mp) + acl_count * sizeof (mp->r[0]);
 
   if (verify_message_len (mp, expected_len, "macip_acl_add"))
     {
@@ -2112,7 +2112,7 @@ vl_api_macip_acl_add_replace_t_handler (vl_api_macip_acl_add_replace_t * mp)
   int rv;
   u32 acl_list_index = ntohl (mp->acl_index);
   u32 acl_count = ntohl (mp->count);
-  u32 expected_len = sizeof (*mp) + acl_count * sizeof (mp->r[0]);
+  u64 expected_len = sizeof (*mp) + acl_count * sizeof (mp->r[0]);
 
   if (verify_message_len (mp, expected_len, "macip_acl_add_replace"))
     {