ipsec: validate number of input sas

Type: fix

There is a statically allocated array for inbound SAs which can hold
4 IDs. The input parameter containing the IDs of th inbound SAs is a
vector and Its possible to pass a vector with more than 4 elements
and write the memory past the end of the array. Fail if more than 4
SAs are passed in the vector.

Change-Id: I0c9d321c902d6366b8aff816d04e343dcbd110eb
Signed-off-by: Matthew Smith <mgsmith@netgate.com>

diff --git a/src/vnet/ipsec/ipsec_tun.c b/src/vnet/ipsec/ipsec_tun.c
index 07dd9ea..268f778 100644 (file)
--- a/src/vnet/ipsec/ipsec_tun.c
+++ b/src/vnet/ipsec/ipsec_tun.c
@@ -626,6 +626,12 @@ ipsec_tun_protect_update (u32 sw_if_index,
            format_vnet_sw_if_index_name, vnet_get_main (), sw_if_index,
            format_ip_address, nh);
 
+  if (vec_len (sas_in) > ITP_MAX_N_SA_IN)
+    {
+      rv = VNET_API_ERROR_LIMIT_EXCEEDED;
+      goto out;
+    }
+
   rv = 0;
   im = &ipsec_main;
   if (NULL == nh)

diff --git a/src/vnet/ipsec/ipsec_tun.h b/src/vnet/ipsec/ipsec_tun.h
index 863afdb..90f2996 100644 (file)
--- a/src/vnet/ipsec/ipsec_tun.h
+++ b/src/vnet/ipsec/ipsec_tun.h
@@ -59,6 +59,8 @@ typedef struct ipsec_ep_t_
   ip46_address_t dst;
 } ipsec_ep_t;
 
+#define ITP_MAX_N_SA_IN 4
+
 typedef struct ipsec_tun_protect_t_
 {
   CLIB_CACHE_LINE_ALIGN_MARK (cacheline0);
@@ -67,7 +69,7 @@ typedef struct ipsec_tun_protect_t_
   /* not using a vector since we want the memory inline
    * with this struct */
   u32 itp_n_sa_in;
-  index_t itp_in_sas[4];
+  index_t itp_in_sas[ITP_MAX_N_SA_IN];
 
   u32 itp_sw_if_index;