From f48de88527d324efebbc1af4f1a1d51ef030996d Mon Sep 17 00:00:00 2001 From: Andrew Yourtchenko Date: Sat, 6 Feb 2021 12:28:52 +0000 Subject: vppinfra: do not crash if format string is null Sending 128 bytes of zeroes via API shared memory interface (or putting any other message ID that results in null message name - e.g. 2,4,5) results in this crash: Program received signal SIGSEGV, Segmentation fault. va_format (s=0x7fffb5643a60 "memclnt_create", fmt=0x0, va=0x7fffa739ccf0) at /home/ubuntu/vpp/src/vppinfra/format.c:395 395 c = *f; (gdb) bt 0 va_format (s=0x7fffb5643a60 "memclnt_create", fmt=0x0, va=0x7fffa739ccf0) at /home/ubuntu/vpp/src/vppinfra/format.c:395 1 0x00007ffff50e7259 in elog_string (em=0x7ffff5f2fbc8 , fmt=0x0) at /home/ubuntu/vpp/src/vppinfra/elog.c:592 2 0x00007ffff7bc4cec in vl_msg_api_handler_with_vm_node (am=0x7ffff7dd1c90 , vlib_rp=0x130023000, the_msg=0x130086d50, vm=0x7ffff5f2f800 , node=0x7fffb5edd4c0, is_private=0 '\000') at /home/ubuntu/vpp/src/vlibapi/api_shared.c:585 3 0x00007ffff7ba6c86 in void_mem_api_handle_msg_i (am=0x7ffff7dd1c90 , vlib_rp=0x130023000, vm=, node=, is_private=0 '\000') at /home/ubuntu/vpp/src/vlibmemory/memory_api.c:696 4 vl_mem_api_handle_msg_main (vm=0x7ffff5f2f800 , node=0x7fffb5edd4c0) at /home/ubuntu/vpp/src/vlibmemory/memory_api.c:707 5 0x00007ffff7bb573e in vl_api_clnt_process (vm=0x7ffff5f2f800 , node=0x7fffb5edd4c0, f=) at /home/ubuntu/vpp/src/vlibmemory/vlib_api.c:338 6 0x00007ffff5cb3bb7 in vlib_process_bootstrap (_a=) at /home/ubuntu/vpp/src/vlib/main.c:1477 7 0x00007ffff514088c in clib_calljmp () from /home/ubuntu/vpp/build-root/install-vpp-native/vpp/lib/libvppinfra.so.21.01 8 0x00007fffa95b0550 in ?? () 9 0x00007ffff5ca93e2 in vlib_process_startup (vm=0x7ffff5f2f800 , p=0x7fffb5edd4c0, f=0x0) at /home/ubuntu/vpp/src/vlib/main.c:1502 10 dispatch_process (vm=0x7ffff5f2f800 , p=0x7fffb5edd4c0, f=0x0, last_time_stamp=) at /home/ubuntu/vpp/src/vlib/main.c:1558 11 0x0000000000000000 in ?? () (gdb) I am not sure if this place is better to fix it or the 4-5 places in vl_msg_api_handler_with_vm_node that it gets called from, but submitting this one since it is the shortest Type: fix Change-Id: I659d2bea7405d8763181336f35ef468682f64cf2 Signed-off-by: Andrew Yourtchenko --- src/vlibapi/api_shared.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'src/vlibapi/api_shared.c') diff --git a/src/vlibapi/api_shared.c b/src/vlibapi/api_shared.c index 5e715d6f829..ec74b5fe357 100644 --- a/src/vlibapi/api_shared.c +++ b/src/vlibapi/api_shared.c @@ -454,7 +454,7 @@ msg_handler_internal (api_main_t * am, u32 c; } *ed; ed = ELOG_DATA (am->elog_main, e); - if (id < vec_len (am->msg_names)) + if (id < vec_len (am->msg_names) && am->msg_names[id]) ed->c = elog_string (am->elog_main, (char *) am->msg_names[id]); else ed->c = elog_string (am->elog_main, "BOGUS"); @@ -537,7 +537,7 @@ msg_handler_internal (api_main_t * am, u32 c; } *ed; ed = ELOG_DATA (am->elog_main, e); - if (id < vec_len (am->msg_names)) + if (id < vec_len (am->msg_names) && am->msg_names[id]) { ed->c = elog_string (am->elog_main, (char *) am->msg_names[id]); ed->barrier = !am->is_mp_safe[id]; @@ -579,7 +579,7 @@ vl_msg_api_handler_with_vm_node (api_main_t * am, svm_region_t * vlib_rp, u32 c; } *ed; ed = ELOG_DATA (am->elog_main, e); - if (id < vec_len (am->msg_names)) + if (id < vec_len (am->msg_names) && am->msg_names[id]) ed->c = elog_string (am->elog_main, (char *) am->msg_names[id]); else ed->c = elog_string (am->elog_main, "BOGUS"); @@ -678,7 +678,7 @@ vl_msg_api_handler_with_vm_node (api_main_t * am, svm_region_t * vlib_rp, u32 c; } *ed; ed = ELOG_DATA (am->elog_main, e); - if (id < vec_len (am->msg_names)) + if (id < vec_len (am->msg_names) && am->msg_names[id]) ed->c = elog_string (am->elog_main, (char *) am->msg_names[id]); else ed->c = elog_string (am->elog_main, "BOGUS"); -- cgit 1.2.3-korg