From dc3e9664858df680accca7324299b633bf60397d Mon Sep 17 00:00:00 2001 From: Matthew Smith Date: Fri, 10 Apr 2020 20:27:33 -0500 Subject: ipsec: validate number of input sas Type: fix There is a statically allocated array for inbound SAs which can hold 4 IDs. The input parameter containing the IDs of th inbound SAs is a vector and Its possible to pass a vector with more than 4 elements and write the memory past the end of the array. Fail if more than 4 SAs are passed in the vector. Change-Id: I0c9d321c902d6366b8aff816d04e343dcbd110eb Signed-off-by: Matthew Smith --- src/vnet/ipsec/ipsec_tun.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'src/vnet/ipsec/ipsec_tun.c') diff --git a/src/vnet/ipsec/ipsec_tun.c b/src/vnet/ipsec/ipsec_tun.c index 07dd9ea409b..268f7783ebf 100644 --- a/src/vnet/ipsec/ipsec_tun.c +++ b/src/vnet/ipsec/ipsec_tun.c @@ -626,6 +626,12 @@ ipsec_tun_protect_update (u32 sw_if_index, format_vnet_sw_if_index_name, vnet_get_main (), sw_if_index, format_ip_address, nh); + if (vec_len (sas_in) > ITP_MAX_N_SA_IN) + { + rv = VNET_API_ERROR_LIMIT_EXCEEDED; + goto out; + } + rv = 0; im = &ipsec_main; if (NULL == nh) -- cgit 1.2.3-korg