From 61459c9be0f620f738cf049b1b33e1a2d13dc9a6 Mon Sep 17 00:00:00 2001
From: Andrew Yourtchenko <ayourtch@gmail.com>
Date: Sat, 28 Jan 2017 15:31:19 +0000
Subject: VPP-621: ping: ICMP echo data size must be bounded by
 VLIB_BUFFER_DATA_SIZE minus headers.

Before the commit 878c6098 the VLIB_BUFFER_DATA_SIZE was different depending
on whether building "vpp" or "vpp_lite", resulting in an overrun in vpp_lite build.
Avoid the hardcoded value and make the upper bound for ICMP echo data size
dependent on the buffer size.

Change-Id: Id6c4d7fc73766a95af2610eb237881b5fe9ce9aa
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
---
 src/vnet/ip/ping.c | 30 +++++++++++++++++++++---------
 src/vnet/ip/ping.h | 45 +++++++++++++++++++++++++--------------------
 2 files changed, 46 insertions(+), 29 deletions(-)

(limited to 'src')

diff --git a/src/vnet/ip/ping.c b/src/vnet/ip/ping.c
index 88882629426..00e2bfb18e2 100644
--- a/src/vnet/ip/ping.c
+++ b/src/vnet/ip/ping.c
@@ -13,6 +13,7 @@
  * limitations under the License.
  */
 
+#include <stddef.h>
 #include <vnet/ip/ping.h>
 #include <vnet/fib/ip6_fib.h>
 #include <vnet/fib/ip4_fib.h>
@@ -243,15 +244,10 @@ init_icmp46_echo_request (icmp46_echo_request_t * icmp46_echo,
   icmp46_echo->seq = clib_host_to_net_u16 (seq_host);
   icmp46_echo->id = clib_host_to_net_u16 (id_host);
 
-  for (i = 0; i < sizeof (icmp46_echo->data); i++)
-    {
-      icmp46_echo->data[i] = i % 256;
-    }
-
-  if (data_len > sizeof (icmp46_echo_request_t))
-    {
-      data_len = sizeof (icmp46_echo_request_t);
-    }
+  if (data_len > PING_MAXIMUM_DATA_SIZE)
+    data_len = PING_MAXIMUM_DATA_SIZE;
+  for (i = 0; i < data_len; i++)
+    icmp46_echo->data[i] = i % 256;
   return data_len;
 }
 
@@ -267,11 +263,15 @@ send_ip6_ping (vlib_main_t * vm, ip6_main_t * im,
   vlib_buffer_t *p0;
   vlib_frame_t *f;
   u32 *to_next;
+  vlib_buffer_free_list_t *fl;
 
   if (vlib_buffer_alloc (vm, &bi0, 1) != 1)
     return SEND_PING_ALLOC_FAIL;
 
   p0 = vlib_get_buffer (vm, bi0);
+  fl = vlib_buffer_get_free_list (vm, VLIB_BUFFER_DEFAULT_FREE_LIST_INDEX);
+  vlib_buffer_init_for_free_list (p0, fl);
+  VLIB_BUFFER_TRACE_TRAJECTORY_INIT (p0);
 
   /*
    * if the user did not provide a source interface, use the any interface
@@ -376,11 +376,15 @@ send_ip4_ping (vlib_main_t * vm,
   vlib_frame_t *f;
   u32 *to_next;
   u32 if_add_index0;
+  vlib_buffer_free_list_t *fl;
 
   if (vlib_buffer_alloc (vm, &bi0, 1) != 1)
     return SEND_PING_ALLOC_FAIL;
 
   p0 = vlib_get_buffer (vm, bi0);
+  fl = vlib_buffer_get_free_list (vm, VLIB_BUFFER_DEFAULT_FREE_LIST_INDEX);
+  vlib_buffer_init_for_free_list (p0, fl);
+  VLIB_BUFFER_TRACE_TRAJECTORY_INIT (p0);
 
   /*
    * if the user did not provide a source interface, use the any interface
@@ -759,6 +763,14 @@ ping_ip_address (vlib_main_t * vm,
 				   format_unformat_error, input);
 	      goto done;
 	    }
+	  if (data_len > PING_MAXIMUM_DATA_SIZE)
+	    {
+	      error =
+		clib_error_return (0,
+				   "%d is bigger than maximum allowed payload size %d",
+				   data_len, PING_MAXIMUM_DATA_SIZE);
+	      goto done;
+	    }
 	}
       else if (unformat (input, "table-id"))
 	{
diff --git a/src/vnet/ip/ping.h b/src/vnet/ip/ping.h
index 8f41f45c5f9..1887314a93c 100644
--- a/src/vnet/ip/ping.h
+++ b/src/vnet/ip/ping.h
@@ -59,26 +59,31 @@ ping_main_t ping_main;
 #define PING_DEFAULT_DATA_LEN 60
 #define PING_DEFAULT_INTERVAL 1.0
 
-#define PING_MAXIMUM_DATA_SIZE 2000
-
-typedef CLIB_PACKED (struct
-		     {
-		     u16 id;
-		     u16 seq; f64 time_sent; u8 data[PING_MAXIMUM_DATA_SIZE];
-		     }) icmp46_echo_request_t;
-
-
-typedef CLIB_PACKED (struct
-		     {
-		     ip6_header_t ip6;
-		     icmp46_header_t icmp; icmp46_echo_request_t icmp_echo;
-		     }) icmp6_echo_request_header_t;
-
-typedef CLIB_PACKED (struct
-		     {
-		     ip4_header_t ip4;
-		     icmp46_header_t icmp; icmp46_echo_request_t icmp_echo;
-		     }) icmp4_echo_request_header_t;
+#define PING_MAXIMUM_DATA_SIZE (VLIB_BUFFER_DATA_SIZE - sizeof(ip6_header_t) - sizeof(icmp46_header_t) - offsetof(icmp46_echo_request_t, data))
+
+/* *INDENT-OFF* */
+
+typedef CLIB_PACKED (struct {
+  u16 id;
+  u16 seq;
+  f64 time_sent;
+  u8 data[0];
+}) icmp46_echo_request_t;
+
+
+typedef CLIB_PACKED (struct {
+  ip6_header_t ip6;
+  icmp46_header_t icmp;
+  icmp46_echo_request_t icmp_echo;
+}) icmp6_echo_request_header_t;
+
+typedef CLIB_PACKED (struct {
+  ip4_header_t ip4;
+  icmp46_header_t icmp;
+  icmp46_echo_request_t icmp_echo;
+}) icmp4_echo_request_header_t;
+
+/* *INDENT-ON* */
 
 
 typedef struct
-- 
cgit