diff options
author | Dmitry Valter <d-valter@yandex-team.ru> | 2023-01-22 13:09:15 +0000 |
---|---|---|
committer | Dmitry Valter <dvalter@protonmail.com> | 2023-01-22 13:09:15 +0000 |
commit | 3b5ab65bd3a821dd82acfc34069293ff39dc1ef7 (patch) | |
tree | 0be23d83bd55895409a2b0db8d23d2a979ff2ebd | |
parent | 6a782ca3b0782116c5f34d1c958998e9a0af41ca (diff) |
vppinfra: fix random buffer OOB crash with ASAN
Don't truncate with vec_set_len bytes before they can be used. When
built with ASAN, it these bytes are poisoned and trigger SIGSEGV when
read.
Type: fix
Signed-off-by: Dmitry Valter <d-valter@yandex-team.ru>
Change-Id: I912dbbd83822b884f214b3ddcde02e3527848592
-rw-r--r-- | src/vppinfra/random_buffer.h | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/src/vppinfra/random_buffer.h b/src/vppinfra/random_buffer.h index 078e9607caa..83e6bcef479 100644 --- a/src/vppinfra/random_buffer.h +++ b/src/vppinfra/random_buffer.h @@ -54,6 +54,9 @@ typedef struct /* Random buffer. */ uword *buffer; + /* An actual length to be applied before using the buffer. */ + uword next_read_len; + /* Cache up to 1 word worth of bytes for random data less than one word at a time. */ uword n_cached_bytes; @@ -84,6 +87,11 @@ clib_random_buffer_get_data (clib_random_buffer_t * b, uword n_bytes) { uword n_words, i, l; + if (b->buffer) + vec_set_len (b->buffer, b->next_read_len); + else + ASSERT (b->next_read_len == 0); + l = b->n_cached_bytes; if (n_bytes <= l) { @@ -100,7 +108,7 @@ clib_random_buffer_get_data (clib_random_buffer_t * b, uword n_bytes) clib_random_buffer_fill (b, n_words); i = vec_len (b->buffer) - n_words; - vec_set_len (b->buffer, i); + b->next_read_len = i; if (n_bytes < sizeof (uword)) { |