From 56177e64b620b93d3d935cd1f1663e2f7f1e5592 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Beno=C3=AEt=20Ganne?= Date: Tue, 5 Jan 2021 17:47:59 +0100 Subject: [PATCH] acl: fix tag C-string overflow MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit tag is expected to be a null-terminated C-string Type: fix Change-Id: I633719068c37eac395cc30a6a314c00848e9cdca Signed-off-by: Benoît Ganne --- src/plugins/acl/acl.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/src/plugins/acl/acl.c b/src/plugins/acl/acl.c index 7cde5ce60ad..3fbfcf692ad 100644 --- a/src/plugins/acl/acl.c +++ b/src/plugins/acl/acl.c @@ -320,8 +320,13 @@ acl_add_list (u32 count, vl_api_acl_rule_t rules[], acl_list_t *a; acl_rule_t *r; acl_rule_t *acl_new_rules = 0; + size_t tag_len; int i; + tag_len = clib_strnlen ((const char *) tag, sizeof (a->tag)); + if (tag_len == sizeof (a->tag)) + return VNET_API_ERROR_INVALID_VALUE; + if (am->trace_acl > 255) clib_warning ("API dbg: acl_add_list index %d tag %s", *acl_list_index, tag); @@ -399,7 +404,7 @@ acl_add_list (u32 count, vl_api_acl_rule_t rules[], vec_free (a->rules); } a->rules = acl_new_rules; - memcpy (a->tag, tag, sizeof (a->tag)); + memcpy (a->tag, tag, tag_len + 1); if (am->trace_acl > 255) warning_acl_print_acl (am->vlib_main, am, *acl_list_index); if (am->reclassify_sessions) @@ -1548,9 +1553,14 @@ macip_acl_add_list (u32 count, vl_api_macip_acl_rule_t rules[], macip_acl_list_t *a; macip_acl_rule_t *r; macip_acl_rule_t *acl_new_rules = 0; + size_t tag_len; int i; int rv = 0; + tag_len = clib_strnlen ((const char *) tag, sizeof (a->tag)); + if (tag_len == sizeof (a->tag)) + return VNET_API_ERROR_INVALID_VALUE; + if (*acl_list_index != ~0) { /* They supplied some number, let's see if this MACIP ACL exists */ @@ -1609,7 +1619,7 @@ macip_acl_add_list (u32 count, vl_api_macip_acl_rule_t rules[], a->rules = acl_new_rules; a->count = count; - memcpy (a->tag, tag, sizeof (a->tag)); + memcpy (a->tag, tag, tag_len + 1); /* Create and populate the classifier tables */ macip_create_classify_tables (am, *acl_list_index); @@ -1936,7 +1946,7 @@ send_acl_details (acl_main_t * am, vl_api_registration_t * reg, mp->context = context; mp->count = htonl (vec_len (acl_rules)); mp->acl_index = htonl (acl - am->acls); - memcpy (mp->tag, acl->tag, sizeof (mp->tag)); + snprintf ((char *) mp->tag, sizeof (mp->tag), "%s", acl->tag); // clib_memcpy (mp->r, acl->rules, acl->count * sizeof(acl->rules[0])); rules = mp->r; for (i = 0; i < vec_len (acl_rules); i++) @@ -2170,7 +2180,7 @@ send_macip_acl_details (acl_main_t * am, vl_api_registration_t * reg, mp->context = context; if (acl) { - memcpy (mp->tag, acl->tag, sizeof (mp->tag)); + snprintf ((char *) mp->tag, sizeof (mp->tag), "%s", acl->tag); mp->count = htonl (acl->count); mp->acl_index = htonl (acl - am->macip_acls); rules = mp->r; @@ -2936,7 +2946,6 @@ acl_set_aclplugin_acl_fn (vlib_main_t * vm, u32 acl_index = ~0; if (!tag) vec_add (tag, "cli", 4); - vec_validate (tag, STRUCT_SIZE_OF (acl_list_t, tag) - 1); rv = acl_add_list (vec_len (rules), rules, &acl_index, tag); -- 2.16.6