ipsec: validate number of input sas

Type: fix There is a statically allocated array for inbound SAs which can hold 4 IDs. The input parameter containing the IDs of th inbound SAs is a vector and Its possible to pass a vector with more than 4 elements and write the memory past the end of the array. Fail if more than 4 SAs are passed in the vector. Change-Id: I0c9d321c902d6366b8aff816d04e343dcbd110eb Signed-off-by: Matthew Smith <mgsmith@netgate.com>
author: Matthew Smith <mgsmith@netgate.com> 2020-04-10 20:27:33 -0500
committer: Neale Ranns <nranns@cisco.com> 2020-04-14 07:37:28 +0000
commit: dc3e9664858df680accca7324299b633bf60397d (patch)
tree: 3da66ff699fb4971d8272ff127070ca384c37c76 /src/vnet/ipsec/ipsec_tun.c
parent: 4fde4ae0363de45d867eb3472e43b89ae34d3bd1 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/src/vnet/ipsec/ipsec_tun.c b/src/vnet/ipsec/ipsec_tun.c
index 07dd9ea409b..268f7783ebf 100644
--- a/src/vnet/ipsec/ipsec_tun.c
+++ b/src/vnet/ipsec/ipsec_tun.c
@@ -626,6 +626,12 @@ ipsec_tun_protect_update (u32 sw_if_index,
 	    format_vnet_sw_if_index_name, vnet_get_main (), sw_if_index,
 	    format_ip_address, nh);
 
+  if (vec_len (sas_in) > ITP_MAX_N_SA_IN)
+    {
+      rv = VNET_API_ERROR_LIMIT_EXCEEDED;
+      goto out;
+    }
+
   rv = 0;
   im = &ipsec_main;
   if (NULL == nh)
author	Matthew Smith <mgsmith@netgate.com>	2020-04-10 20:27:33 -0500
committer	Neale Ranns <nranns@cisco.com>	2020-04-14 07:37:28 +0000
commit	dc3e9664858df680accca7324299b633bf60397d (patch)
tree	3da66ff699fb4971d8272ff127070ca384c37c76 /src/vnet/ipsec/ipsec_tun.c
parent	4fde4ae0363de45d867eb3472e43b89ae34d3bd1 (diff)