diff options
author | Neale Ranns <nranns@cisco.com> | 2018-10-10 13:27:00 +0000 |
---|---|---|
committer | Damjan Marion <dmarion@me.com> | 2018-10-11 20:51:14 +0000 |
commit | 713322bd32a07135a5d16c55bcd909f2d073b8cb (patch) | |
tree | be9998a81a460cdfdb964b13da848d8c1bbe6e7e /src | |
parent | 33f276e0af41212ae3894101f7182ab4772a71f5 (diff) |
Integer underflow and out-of-bounds read (VPP-1442)
Change-Id: Ife2a83b9d7f733f36e0e786ef79edcd394d7c0f9
Signed-off-by: Neale Ranns <nranns@cisco.com>
Diffstat (limited to 'src')
-rw-r--r-- | src/vlib/buffer_node.h | 13 | ||||
-rw-r--r-- | src/vppinfra/string.h | 8 |
2 files changed, 13 insertions, 8 deletions
diff --git a/src/vlib/buffer_node.h b/src/vlib/buffer_node.h index 93ffb1e9dce..35e15a5d919 100644 --- a/src/vlib/buffer_node.h +++ b/src/vlib/buffer_node.h @@ -366,10 +366,15 @@ vlib_buffer_enqueue_to_next (vlib_main_t * vm, vlib_node_runtime_t * node, n_enqueued = count_trailing_zeros (~bitmap) / 2; #else u16 x = 0; - x |= next_index ^ nexts[1]; - x |= next_index ^ nexts[2]; - x |= next_index ^ nexts[3]; - n_enqueued = (x == 0) ? 4 : 1; + if (count + 3 < max) + { + x |= next_index ^ nexts[1]; + x |= next_index ^ nexts[2]; + x |= next_index ^ nexts[3]; + n_enqueued = (x == 0) ? 4 : 1; + } + else + n_enqueued = 1; #endif if (PREDICT_FALSE (n_enqueued > max)) diff --git a/src/vppinfra/string.h b/src/vppinfra/string.h index 8f165dfa18e..2c794baf71f 100644 --- a/src/vppinfra/string.h +++ b/src/vppinfra/string.h @@ -356,7 +356,7 @@ clib_count_equal_u64 (u64 * data, uword max_count) #endif count += 2; data += 2; - while (count < max_count - 3 && + while (count + 3 < max_count && ((data[0] ^ first) | (data[1] ^ first) | (data[2] ^ first) | (data[3] ^ first)) == 0) { @@ -424,7 +424,7 @@ clib_count_equal_u32 (u32 * data, uword max_count) #endif count += 2; data += 2; - while (count < max_count - 3 && + while (count + 3 < max_count && ((data[0] ^ first) | (data[1] ^ first) | (data[2] ^ first) | (data[3] ^ first)) == 0) { @@ -492,7 +492,7 @@ clib_count_equal_u16 (u16 * data, uword max_count) #endif count += 2; data += 2; - while (count < max_count - 3 && + while (count + 3 < max_count && ((data[0] ^ first) | (data[1] ^ first) | (data[2] ^ first) | (data[3] ^ first)) == 0) { @@ -560,7 +560,7 @@ clib_count_equal_u8 (u8 * data, uword max_count) #endif count += 2; data += 2; - while (count < max_count - 3 && + while (count + 3 < max_count && ((data[0] ^ first) | (data[1] ^ first) | (data[2] ^ first) | (data[3] ^ first)) == 0) { |