[PATCH] app/testpmd: add size validation to token parsers

Fri, 10 Nov 2023 23:14:31 -0800 

parse_prefix(), parse_int(), parse_mac_addr(),
parse_ipv4_addr() and parse_ipv6_addr() unconditionally overwrite
the `size` parameter with token size.
The `size` parameter references a buffer where the parser functions
will store their result.

If the `size` value was less than token size, parser will corrupt
memory outsite of target buffer.

The patch adds sizes validation.

Fixes: d3f61b7bad20 ("app/testpmd: add flow item spec prefix length")
Fixes: 8a03ab58cc0a ("app/testpmd: support flow integer")
Fixes: 6df81b325fa4 ("app/testpmd: add items eth/vlan to flow command")
Fixes: ef6e38550f07 ("app/testpmd: add items ipv4/ipv6 to flow command")

Cc: sta...@dpdk.org
Signed-off-by: Gregory Etelson <getel...@nvidia.com>
---
 app/test-pmd/cmdline_flow.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/app/test-pmd/cmdline_flow.c b/app/test-pmd/cmdline_flow.c
index ce71818705..87541d2c46 100644
--- a/app/test-pmd/cmdline_flow.c
+++ b/app/test-pmd/cmdline_flow.c
@@ -7715,6 +7715,8 @@ parse_prefix(struct context *ctx, const struct token 
*token,
        }
        bytes = u / 8;
        extra = u % 8;
+       if (size < arg->size)
+               goto error;
        size = arg->size;
        if (bytes > size || bytes + !!extra > size)
                goto error;
@@ -10806,6 +10808,8 @@ parse_int(struct context *ctx, const struct token 
*token,
                return len;
        }
        buf = (uint8_t *)ctx->object + arg->offset;
+       if (size < arg->size)
+               goto error;
        size = arg->size;
        if (u > RTE_LEN2MASK(size * CHAR_BIT, uint64_t))
                return -1;
@@ -11093,6 +11097,8 @@ parse_mac_addr(struct context *ctx, const struct token 
*token,
        /* Argument is expected. */
        if (!arg)
                return -1;
+       if (size < arg->size)
+               goto error;
        size = arg->size;
        /* Bit-mask fill is not supported. */
        if (arg->mask || size != sizeof(tmp))
@@ -11134,6 +11140,8 @@ parse_ipv4_addr(struct context *ctx, const struct token 
*token,
        /* Argument is expected. */
        if (!arg)
                return -1;
+       if (size < arg->size)
+               goto error;
        size = arg->size;
        /* Bit-mask fill is not supported. */
        if (arg->mask || size != sizeof(tmp))
@@ -11181,6 +11189,8 @@ parse_ipv6_addr(struct context *ctx, const struct token 
*token,
        /* Argument is expected. */
        if (!arg)
                return -1;
+       if (size < arg->size)
+               goto error;
        size = arg->size;
        /* Bit-mask fill is not supported. */
        if (arg->mask || size != sizeof(tmp))
-- 
2.39.2

Reply via email to