From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au Authentication-Results: passt.top; dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202502 header.b=Y3v08kaY; dkim-atps=neutral Received: from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3]) by passt.top (Postfix) with ESMTPS id BCA575A0779 for ; Mon, 17 Mar 2025 11:02:30 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202502; t=1742205731; bh=b7zsqsgJMbgn0t5VyNxkVroYWXaCMmqK3kekvj+3jnw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Y3v08kaY/P9JYXGIXc+MXUoPrDEgOB4597PshmkWhkfXo4QjJ0zcjJArYppmw3699 C6zfZWQ8XTqWhj0aJePa78rtdOiSCmSn8DEs6t5M5WSqG28BJ+Cop8KhD+6YCxk6Et cBL0iNiSXNJlX8bDD4Q3zMr+axGkpLCX36uBDiQ9ThJ7U9DUBVFkiNzvHs4gTB1N3w GnU7NnYSUKqYZa98I40hNXi6CtuqrjhAIflkW6zuI5lVglUjO+no+1fgQ8B2tvgNK4 Z9HXQ282BsgvQzWKBC+ENjbqmBTRqJgwuYWLjNPz82tljxCWSPxOfzjm9BrwnlI2MD V3nEAuCMTXcpg== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4ZGVrM6Dc9z4xCW; Mon, 17 Mar 2025 21:02:11 +1100 (AEDT) From: David Gibson To: passt-dev@passt.top, Stefano Brivio Subject: [PATCH v2 06/11] packet: Avoid integer overflows in packet_get_do() Date: Mon, 17 Mar 2025 20:24:19 +1100 Message-ID: <20250317092424.1461719-7-david@gibson.dropbear.id.au> X-Mailer: git-send-email 2.48.1 In-Reply-To: <20250317092424.1461719-1-david@gibson.dropbear.id.au> References: <20250317092424.1461719-1-david@gibson.dropbear.id.au> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID-Hash: RVQNNIWNJSQX4TXZXL5M2XYG323JZNI3 X-Message-ID-Hash: RVQNNIWNJSQX4TXZXL5M2XYG323JZNI3 X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: David Gibson X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: In packet_get_do() both offset and len are essentially untrusted. We do some validation of len (check it's < PACKET_MAX_LEN), but that's not enough to ensure that (len + offset) doesn't overflow. Rearrange our calculation to make sure it's safe regardless of the given offset & len values. Signed-off-by: David Gibson --- packet.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/packet.c b/packet.c index 08076d57..fdc4be76 100644 --- a/packet.c +++ b/packet.c @@ -144,7 +144,8 @@ void *packet_get_do(const struct pool *p, size_t idx, size_t offset, return NULL; } - if (len + offset > p->pkt[idx].iov_len) { + if (offset > p->pkt[idx].iov_len || + len > (p->pkt[idx].iov_len - offset)) { if (func) { trace("data length %zu, offset %zu from length %zu, " "%s:%i", len, offset, p->pkt[idx].iov_len, -- 2.48.1