diff options
author | Matthew Smith <mgsmith@netgate.com> | 2020-04-10 20:27:33 -0500 |
---|---|---|
committer | Neale Ranns <nranns@cisco.com> | 2020-04-14 07:37:28 +0000 |
commit | dc3e9664858df680accca7324299b633bf60397d (patch) | |
tree | 3da66ff699fb4971d8272ff127070ca384c37c76 | |
parent | 4fde4ae0363de45d867eb3472e43b89ae34d3bd1 (diff) |
ipsec: validate number of input sas
Type: fix
There is a statically allocated array for inbound SAs which can hold
4 IDs. The input parameter containing the IDs of th inbound SAs is a
vector and Its possible to pass a vector with more than 4 elements
and write the memory past the end of the array. Fail if more than 4
SAs are passed in the vector.
Change-Id: I0c9d321c902d6366b8aff816d04e343dcbd110eb
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
-rw-r--r-- | src/vnet/ipsec/ipsec_tun.c | 6 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_tun.h | 4 |
2 files changed, 9 insertions, 1 deletions
diff --git a/src/vnet/ipsec/ipsec_tun.c b/src/vnet/ipsec/ipsec_tun.c index 07dd9ea409b..268f7783ebf 100644 --- a/src/vnet/ipsec/ipsec_tun.c +++ b/src/vnet/ipsec/ipsec_tun.c @@ -626,6 +626,12 @@ ipsec_tun_protect_update (u32 sw_if_index, format_vnet_sw_if_index_name, vnet_get_main (), sw_if_index, format_ip_address, nh); + if (vec_len (sas_in) > ITP_MAX_N_SA_IN) + { + rv = VNET_API_ERROR_LIMIT_EXCEEDED; + goto out; + } + rv = 0; im = &ipsec_main; if (NULL == nh) diff --git a/src/vnet/ipsec/ipsec_tun.h b/src/vnet/ipsec/ipsec_tun.h index 863afdbba5a..90f299668dc 100644 --- a/src/vnet/ipsec/ipsec_tun.h +++ b/src/vnet/ipsec/ipsec_tun.h @@ -59,6 +59,8 @@ typedef struct ipsec_ep_t_ ip46_address_t dst; } ipsec_ep_t; +#define ITP_MAX_N_SA_IN 4 + typedef struct ipsec_tun_protect_t_ { CLIB_CACHE_LINE_ALIGN_MARK (cacheline0); @@ -67,7 +69,7 @@ typedef struct ipsec_tun_protect_t_ /* not using a vector since we want the memory inline * with this struct */ u32 itp_n_sa_in; - index_t itp_in_sas[4]; + index_t itp_in_sas[ITP_MAX_N_SA_IN]; u32 itp_sw_if_index; |