aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDmitry Valter <d-valter@yandex-team.ru>2023-01-22 13:09:15 +0000
committerDmitry Valter <dvalter@protonmail.com>2023-01-22 13:09:15 +0000
commit3b5ab65bd3a821dd82acfc34069293ff39dc1ef7 (patch)
tree0be23d83bd55895409a2b0db8d23d2a979ff2ebd
parent6a782ca3b0782116c5f34d1c958998e9a0af41ca (diff)
vppinfra: fix random buffer OOB crash with ASAN
Don't truncate with vec_set_len bytes before they can be used. When built with ASAN, it these bytes are poisoned and trigger SIGSEGV when read. Type: fix Signed-off-by: Dmitry Valter <d-valter@yandex-team.ru> Change-Id: I912dbbd83822b884f214b3ddcde02e3527848592
-rw-r--r--src/vppinfra/random_buffer.h10
1 files changed, 9 insertions, 1 deletions
diff --git a/src/vppinfra/random_buffer.h b/src/vppinfra/random_buffer.h
index 078e9607caa..83e6bcef479 100644
--- a/src/vppinfra/random_buffer.h
+++ b/src/vppinfra/random_buffer.h
@@ -54,6 +54,9 @@ typedef struct
/* Random buffer. */
uword *buffer;
+ /* An actual length to be applied before using the buffer. */
+ uword next_read_len;
+
/* Cache up to 1 word worth of bytes for random data
less than one word at a time. */
uword n_cached_bytes;
@@ -84,6 +87,11 @@ clib_random_buffer_get_data (clib_random_buffer_t * b, uword n_bytes)
{
uword n_words, i, l;
+ if (b->buffer)
+ vec_set_len (b->buffer, b->next_read_len);
+ else
+ ASSERT (b->next_read_len == 0);
+
l = b->n_cached_bytes;
if (n_bytes <= l)
{
@@ -100,7 +108,7 @@ clib_random_buffer_get_data (clib_random_buffer_t * b, uword n_bytes)
clib_random_buffer_fill (b, n_words);
i = vec_len (b->buffer) - n_words;
- vec_set_len (b->buffer, i);
+ b->next_read_len = i;
if (n_bytes < sizeof (uword))
{