ipc: harden message receive

[ upstream commit 7b51d1b ] Currently, IPC does not check received messages for invalid data and passes them to user code unchanged. This may result in buffer overruns on reading message data. Fix this by checking the message length and fd number on receive, and discard any messages that are not valid. Fixes: bacaa27 ("eal: add channel for multi-process communication") Signed-off-by: Anatoly Burakov <anatoly.burakov@intel.com>
kevintraynor · May 8, 2019 · fdadfbd · fdadfbd
1 parent 6c4a669
commit fdadfbd
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/lib/librte_eal/common/eal_common_proc.c b/lib/librte_eal/common/eal_common_proc.c
@@ -285,7 +285,15 @@ read_msg(struct mp_msg_internal *m, struct sockaddr_un *s)
 			break;
 		}
 	}
-
+	/* sanity-check the response */
+	if (m->msg.num_fds < 0 || m->msg.num_fds > RTE_MP_MAX_FD_NUM) {
+		RTE_LOG(ERR, EAL, "invalid number of fd's received\n");
+		return -1;
+	}
+	if (m->msg.len_param < 0 || m->msg.len_param > RTE_MP_MAX_PARAM_LEN) {
+		RTE_LOG(ERR, EAL, "invalid received data length\n");
+		return -1;
+	}
 	return 0;
 }