aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJakub Grajciar <jgrajcia@cisco.com>2021-03-01 08:54:35 +0100
committerDamjan Marion <dmarion@me.com>2021-03-04 10:52:59 +0000
commitcef0cc1a07a50fe6ece9692e1d45790ee16d61ed (patch)
tree366ca9cf72ebcf1974fe7d7297d3a6170ce7e7fd
parent3d019a541cac0b8cc1ba6891f8c9f99bfe37d79e (diff)
libmemif: verify length of transmitted buffers
In memif_tx_burst verify that total buffer size (data_offset + data_len) does not exceed buffer size. If not valid returns MEMIF_ERR_INVAL_ARG. Type: fix Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com> Change-Id: Ifae8f92344a401febbc1efd22c301356ccf83d44
-rw-r--r--extras/libmemif/src/main.c7
1 files changed, 4 insertions, 3 deletions
diff --git a/extras/libmemif/src/main.c b/extras/libmemif/src/main.c
index 36f1251a158..e70334ae40f 100644
--- a/extras/libmemif/src/main.c
+++ b/extras/libmemif/src/main.c
@@ -2496,11 +2496,12 @@ memif_tx_burst (memif_conn_handle_t conn, uint16_t qid,
data_offset = b0->data - (d->offset + c->regions[d->region].addr);
if (data_offset != 0)
{
- /* verify data offset */
+ /* verify data offset and buffer length */
if ((data_offset < 0) ||
- (data_offset > (d->offset + offset_mask)))
+ ((data_offset + b0->len) > c->run_args.buffer_size))
{
- printf ("%ld\n", data_offset);
+ DBG ("slot: %d, data_offset: %d, length: %d",
+ b0->desc_index & mask, data_offset, b0->len);
err = MEMIF_ERR_INVAL_ARG;
goto done;
}