diff options
author | Ting-Yu Wang <anivia@google.com> | 2021-05-14 12:47:26 -0700 |
---|---|---|
committer | gVisor bot <gvisor-bot@google.com> | 2021-05-14 12:49:25 -0700 |
commit | 436148d68a50e086ae7b967d6a190b3137e68ac8 (patch) | |
tree | 36b32d05b265532759c759d92a8d8099a9b6b970 /pkg/tcpip | |
parent | 78ae3db1a39c0cd925c6b75807fa1dc76ba99986 (diff) |
Fix panic on consume in a mixed push/consume case
headerOffset() is incorrectly taking account of previous push(), so it thinks
there is more data to consume. This change switches to use pk.reserved as
pivot point.
Reported-by: syzbot+64fef9acd509976f9ce7@syzkaller.appspotmail.com
PiperOrigin-RevId: 373846283
Diffstat (limited to 'pkg/tcpip')
-rw-r--r-- | pkg/tcpip/stack/packet_buffer.go | 2 | ||||
-rw-r--r-- | pkg/tcpip/stack/packet_buffer_test.go | 31 |
2 files changed, 32 insertions, 1 deletions
diff --git a/pkg/tcpip/stack/packet_buffer.go b/pkg/tcpip/stack/packet_buffer.go index e2e073091..01652fbe7 100644 --- a/pkg/tcpip/stack/packet_buffer.go +++ b/pkg/tcpip/stack/packet_buffer.go @@ -261,7 +261,7 @@ func (pk *PacketBuffer) consume(typ headerType, size int) (v tcpipbuffer.View, c if h.length > 0 { panic(fmt.Sprintf("consume must not be called twice: type %s", typ)) } - if pk.headerOffset()+pk.consumed+size > int(pk.buf.Size()) { + if pk.reserved+pk.consumed+size > int(pk.buf.Size()) { return nil, false } h.offset = pk.consumed diff --git a/pkg/tcpip/stack/packet_buffer_test.go b/pkg/tcpip/stack/packet_buffer_test.go index 1c1aeb950..a8da34992 100644 --- a/pkg/tcpip/stack/packet_buffer_test.go +++ b/pkg/tcpip/stack/packet_buffer_test.go @@ -259,6 +259,37 @@ func TestPacketHeaderPushConsumeMixed(t *testing.T) { }) } +func TestPacketHeaderPushConsumeMixedTooLong(t *testing.T) { + link := makeView(10) + network := makeView(20) + data := makeView(30) + + initData := concatViews(network, data) + pk := NewPacketBuffer(PacketBufferOptions{ + ReserveHeaderBytes: len(link), + Data: buffer.NewViewFromBytes(initData).ToVectorisedView(), + }) + + // 1. Push link header + copy(pk.LinkHeader().Push(len(link)), link) + + checkPacketContents(t, "" /* prefix */, pk, packetContents{ + link: link, + data: initData, + }) + + // 2. Consume network header, with a number of bytes too large. + gotNetwork, ok := pk.NetworkHeader().Consume(len(initData) + 1) + if ok { + t.Fatalf("pk.NetworkHeader().Consume(%d) = %q, true; want _, false", len(initData)+1, gotNetwork) + } + + checkPacketContents(t, "" /* prefix */, pk, packetContents{ + link: link, + data: initData, + }) +} + func TestPacketHeaderPushCalledAtMostOnce(t *testing.T) { const headerSize = 10 |