Reviewed-by: Jacob Keller <jacob.e.kel...@intel.com>
On 5/16/2020 8:03 AM, Richard Cochran wrote: > The current code truncates the size of path trace TLVs which exceed the > expected maximum based on the largest possible message size. However if > another TLV follows, then a gap would appear, that is, an area in the > message buffer not pointed to by any TLV descriptor. In order to avoid > forwarding such malformed messages, this patch changes the logic to reject > them. > > Signed-off-by: Richard Cochran <richardcoch...@gmail.com> > --- > tlv.c | 22 ++++++++++++++++------ > 1 file changed, 16 insertions(+), 6 deletions(-) > > diff --git a/tlv.c b/tlv.c > index 2440482..6ab54a5 100644 > --- a/tlv.c > +++ b/tlv.c > @@ -18,6 +18,7 @@ > */ > #include <arpa/inet.h> > #include <errno.h> > +#include <stdbool.h> > #include <stdlib.h> > #include <string.h> > > @@ -79,6 +80,17 @@ static int64_t net2host64_unaligned(int64_t *p) > return v; > } > > +static bool tlv_array_invalid(struct TLV *tlv, size_t base_size, size_t > item_size) > +{ > + size_t expected_length, n_items; > + > + n_items = (tlv->length - base_size) / item_size; > + > + expected_length = base_size + n_items * item_size; > + > + return (tlv->length == expected_length) ? false : true; > +} > + > static int mgt_post_recv(struct management_tlv *m, uint16_t data_len, > struct tlv_extra *extra) > { > @@ -678,11 +690,10 @@ void tlv_extra_recycle(struct tlv_extra *extra) > > int tlv_post_recv(struct tlv_extra *extra) > { > - int result = 0; > - struct management_tlv *mgt; > struct management_error_status *mes; > struct TLV *tlv = extra->tlv; > - struct path_trace_tlv *ptt; > + struct management_tlv *mgt; > + int result = 0; > > switch (tlv->type) { > case TLV_MANAGEMENT: > @@ -712,9 +723,8 @@ int tlv_post_recv(struct tlv_extra *extra) > result = unicast_negotiation_post_recv(extra); > break; > case TLV_PATH_TRACE: > - ptt = (struct path_trace_tlv *) tlv; > - if (path_length(ptt) > PATH_TRACE_MAX) { > - ptt->length = PATH_TRACE_MAX * sizeof(struct > ClockIdentity); > + if (tlv_array_invalid(tlv, 0, sizeof(struct ClockIdentity))) { > + goto bad_length; > } > break; > case TLV_ALTERNATE_TIME_OFFSET_INDICATOR: > _______________________________________________ Linuxptp-devel mailing list Linuxptp-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linuxptp-devel