diff options
| author |   Benoît Ganne <bganne@cisco.com> | 2021-01-05 17:47:59 +0100 |
|---|---|---|
| committer |   Andrew Yourtchenko <ayourtch@gmail.com> | 2021-01-11 12:42:16 +0000 |
| commit | 56177e64b620b93d3d935cd1f1663e2f7f1e5592 (patch) | |
| tree | 6c274065b58f6d405a0135afd4729d12ff143a7d | |
| parent | 68d7c546fa7e6c801031f2922c9be067d64e0f59 (diff) | |
acl: fix tag C-string overflow
tag is expected to be a null-terminated C-string
Type: fix
Change-Id: I633719068c37eac395cc30a6a314c00848e9cdca
Signed-off-by: Benoît Ganne <bganne@cisco.com>
| -rw-r--r-- | src/plugins/acl/acl.c | 19 |
1 files changed, 14 insertions, 5 deletions
diff --git a/src/plugins/acl/acl.c b/src/plugins/acl/acl.c index 7cde5ce60ad..3fbfcf692ad 100644 --- a/src/plugins/acl/acl.c +++ b/src/plugins/acl/acl.c @@ -320,8 +320,13 @@ acl_add_list (u32 count, vl_api_acl_rule_t rules[], acl_list_t *a; acl_rule_t *r; acl_rule_t *acl_new_rules = 0; + size_t tag_len; int i; + tag_len = clib_strnlen ((const char *) tag, sizeof (a->tag)); + if (tag_len == sizeof (a->tag)) + return VNET_API_ERROR_INVALID_VALUE; + if (am->trace_acl > 255) clib_warning ("API dbg: acl_add_list index %d tag %s", *acl_list_index, tag); @@ -399,7 +404,7 @@ acl_add_list (u32 count, vl_api_acl_rule_t rules[], vec_free (a->rules); } a->rules = acl_new_rules; - memcpy (a->tag, tag, sizeof (a->tag)); + memcpy (a->tag, tag, tag_len + 1); if (am->trace_acl > 255) warning_acl_print_acl (am->vlib_main, am, *acl_list_index); if (am->reclassify_sessions) @@ -1548,9 +1553,14 @@ macip_acl_add_list (u32 count, vl_api_macip_acl_rule_t rules[], macip_acl_list_t *a; macip_acl_rule_t *r; macip_acl_rule_t *acl_new_rules = 0; + size_t tag_len; int i; int rv = 0; + tag_len = clib_strnlen ((const char *) tag, sizeof (a->tag)); + if (tag_len == sizeof (a->tag)) + return VNET_API_ERROR_INVALID_VALUE; + if (*acl_list_index != ~0) { /* They supplied some number, let's see if this MACIP ACL exists */ @@ -1609,7 +1619,7 @@ macip_acl_add_list (u32 count, vl_api_macip_acl_rule_t rules[], a->rules = acl_new_rules; a->count = count; - memcpy (a->tag, tag, sizeof (a->tag)); + memcpy (a->tag, tag, tag_len + 1); /* Create and populate the classifier tables */ macip_create_classify_tables (am, *acl_list_index); @@ -1936,7 +1946,7 @@ send_acl_details (acl_main_t * am, vl_api_registration_t * reg, mp->context = context; mp->count = htonl (vec_len (acl_rules)); mp->acl_index = htonl (acl - am->acls); - memcpy (mp->tag, acl->tag, sizeof (mp->tag)); + snprintf ((char *) mp->tag, sizeof (mp->tag), "%s", acl->tag); // clib_memcpy (mp->r, acl->rules, acl->count * sizeof(acl->rules[0])); rules = mp->r; for (i = 0; i < vec_len (acl_rules); i++) @@ -2170,7 +2180,7 @@ send_macip_acl_details (acl_main_t * am, vl_api_registration_t * reg, mp->context = context; if (acl) { - memcpy (mp->tag, acl->tag, sizeof (mp->tag)); + snprintf ((char *) mp->tag, sizeof (mp->tag), "%s", acl->tag); mp->count = htonl (acl->count); mp->acl_index = htonl (acl - am->macip_acls); rules = mp->r; @@ -2936,7 +2946,6 @@ acl_set_aclplugin_acl_fn (vlib_main_t * vm, u32 acl_index = ~0; if (!tag) vec_add (tag, "cli", 4); - vec_validate (tag, STRUCT_SIZE_OF (acl_list_t, tag) - 1); rv = acl_add_list (vec_len (rules), rules, &acl_index, tag); |