hdata: Add protection against corrupt ntuples structure

Found using afl-lop on P9 HDAT. Pretty obvious what the problem is once you look at it, and it's much better having a controlled failure mode than just going off randomly into memory and segfaulting. Signed-off-by: Stewart Smith <stewart@linux.ibm.com> Reviewed-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com> Signed-off-by: Stewart Smith <stewart@linux.ibm.com>
open-power · Mar 20, 2019 · c0faa92 · c0faa92
1 parent fedb949
commit c0faa92
Showing 1 changed file with 21 additions and 0 deletions.
diff --git a/hdata/spira.c b/hdata/spira.c
@@ -215,9 +215,30 @@ struct HDIF_common_hdr *__get_hdif(struct spira_ntuple *n, const char id[],
 				   const char *file, int line)
 {
 	struct HDIF_common_hdr *h = ntuple_addr(n);
+	u16 act_cnt, alloc_cnt;
+	u32 act_len, alloc_len;
+
 	if (!spira_check_ptr(h, file, line))
 		return NULL;
 
+	act_cnt = be16_to_cpu(n->act_cnt);
+	alloc_cnt = be16_to_cpu(n->alloc_cnt);
+
+	if (act_cnt > alloc_cnt) {
+		prerror("SPIRA: bad ntuple, act_cnt > alloc_cnt (%u > %u)\n",
+			act_cnt, alloc_cnt);
+		return NULL;
+	}
+
+	act_len = be32_to_cpu(n->act_len);
+	alloc_len = be32_to_cpu(n->alloc_len);
+
+	if (act_len > alloc_len) {
+		prerror("SPIRA: bad ntuple, act_len > alloc_len (%u > %u)\n",
+			act_len, alloc_len);
+		return NULL;
+	}
+
 	if (!HDIF_check(h, id)) {
 		prerror("SPIRA: bad tuple %p: expected %s at %s line %d\n",
 			h, id, file, line);