From 3b5ab65bd3a821dd82acfc34069293ff39dc1ef7 Mon Sep 17 00:00:00 2001 From: Dmitry Valter Date: Sun, 22 Jan 2023 13:09:15 +0000 Subject: vppinfra: fix random buffer OOB crash with ASAN Don't truncate with vec_set_len bytes before they can be used. When built with ASAN, it these bytes are poisoned and trigger SIGSEGV when read. Type: fix Signed-off-by: Dmitry Valter Change-Id: I912dbbd83822b884f214b3ddcde02e3527848592 --- src/vppinfra/random_buffer.h | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'src/vppinfra/random_buffer.h') diff --git a/src/vppinfra/random_buffer.h b/src/vppinfra/random_buffer.h index 078e9607caa..83e6bcef479 100644 --- a/src/vppinfra/random_buffer.h +++ b/src/vppinfra/random_buffer.h @@ -54,6 +54,9 @@ typedef struct /* Random buffer. */ uword *buffer; + /* An actual length to be applied before using the buffer. */ + uword next_read_len; + /* Cache up to 1 word worth of bytes for random data less than one word at a time. */ uword n_cached_bytes; @@ -84,6 +87,11 @@ clib_random_buffer_get_data (clib_random_buffer_t * b, uword n_bytes) { uword n_words, i, l; + if (b->buffer) + vec_set_len (b->buffer, b->next_read_len); + else + ASSERT (b->next_read_len == 0); + l = b->n_cached_bytes; if (n_bytes <= l) { @@ -100,7 +108,7 @@ clib_random_buffer_get_data (clib_random_buffer_t * b, uword n_bytes) clib_random_buffer_fill (b, n_words); i = vec_len (b->buffer) - n_words; - vec_set_len (b->buffer, i); + b->next_read_len = i; if (n_bytes < sizeof (uword)) { -- cgit 1.2.3-korg