summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNeale Ranns <nranns@cisco.com>2018-10-10 13:27:00 +0000
committerDamjan Marion <dmarion@me.com>2018-10-11 20:51:14 +0000
commit713322bd32a07135a5d16c55bcd909f2d073b8cb (patch)
treebe9998a81a460cdfdb964b13da848d8c1bbe6e7e
parent33f276e0af41212ae3894101f7182ab4772a71f5 (diff)
Integer underflow and out-of-bounds read (VPP-1442)
Change-Id: Ife2a83b9d7f733f36e0e786ef79edcd394d7c0f9 Signed-off-by: Neale Ranns <nranns@cisco.com>
-rw-r--r--src/vlib/buffer_node.h13
-rw-r--r--src/vppinfra/string.h8
2 files changed, 13 insertions, 8 deletions
diff --git a/src/vlib/buffer_node.h b/src/vlib/buffer_node.h
index 93ffb1e9dce..35e15a5d919 100644
--- a/src/vlib/buffer_node.h
+++ b/src/vlib/buffer_node.h
@@ -366,10 +366,15 @@ vlib_buffer_enqueue_to_next (vlib_main_t * vm, vlib_node_runtime_t * node,
n_enqueued = count_trailing_zeros (~bitmap) / 2;
#else
u16 x = 0;
- x |= next_index ^ nexts[1];
- x |= next_index ^ nexts[2];
- x |= next_index ^ nexts[3];
- n_enqueued = (x == 0) ? 4 : 1;
+ if (count + 3 < max)
+ {
+ x |= next_index ^ nexts[1];
+ x |= next_index ^ nexts[2];
+ x |= next_index ^ nexts[3];
+ n_enqueued = (x == 0) ? 4 : 1;
+ }
+ else
+ n_enqueued = 1;
#endif
if (PREDICT_FALSE (n_enqueued > max))
diff --git a/src/vppinfra/string.h b/src/vppinfra/string.h
index 8f165dfa18e..2c794baf71f 100644
--- a/src/vppinfra/string.h
+++ b/src/vppinfra/string.h
@@ -356,7 +356,7 @@ clib_count_equal_u64 (u64 * data, uword max_count)
#endif
count += 2;
data += 2;
- while (count < max_count - 3 &&
+ while (count + 3 < max_count &&
((data[0] ^ first) | (data[1] ^ first) |
(data[2] ^ first) | (data[3] ^ first)) == 0)
{
@@ -424,7 +424,7 @@ clib_count_equal_u32 (u32 * data, uword max_count)
#endif
count += 2;
data += 2;
- while (count < max_count - 3 &&
+ while (count + 3 < max_count &&
((data[0] ^ first) | (data[1] ^ first) |
(data[2] ^ first) | (data[3] ^ first)) == 0)
{
@@ -492,7 +492,7 @@ clib_count_equal_u16 (u16 * data, uword max_count)
#endif
count += 2;
data += 2;
- while (count < max_count - 3 &&
+ while (count + 3 < max_count &&
((data[0] ^ first) | (data[1] ^ first) |
(data[2] ^ first) | (data[3] ^ first)) == 0)
{
@@ -560,7 +560,7 @@ clib_count_equal_u8 (u8 * data, uword max_count)
#endif
count += 2;
data += 2;
- while (count < max_count - 3 &&
+ while (count + 3 < max_count &&
((data[0] ^ first) | (data[1] ^ first) |
(data[2] ^ first) | (data[3] ^ first)) == 0)
{