From 1fd4f0a5facf50ac0bf90c9228c43debbbf57dd9 Mon Sep 17 00:00:00 2001
From: Darius Jahandarie <djahandarie@gmail.com>
Date: Sun, 2 Mar 2025 12:14:25 +0900
Subject: [PATCH] Add bounds check on sk_buff.rs

---
 ebpf/aya-ebpf/src/programs/sk_buff.rs | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/ebpf/aya-ebpf/src/programs/sk_buff.rs b/ebpf/aya-ebpf/src/programs/sk_buff.rs
index becdf85d..0af239b4 100644
--- a/ebpf/aya-ebpf/src/programs/sk_buff.rs
+++ b/ebpf/aya-ebpf/src/programs/sk_buff.rs
@@ -10,7 +10,7 @@ use aya_ebpf_bindings::helpers::{
 };
 use aya_ebpf_cty::c_long;
 
-use crate::{bindings::__sk_buff, EbpfContext};
+use crate::{bindings::__sk_buff, check_bounds_signed, EbpfContext};
 
 pub struct SkBuff {
     pub skb: *mut __sk_buff,
@@ -90,6 +90,10 @@ impl SkBuff {
         let len = usize::try_from(self.len()).map_err(|core::num::TryFromIntError { .. }| -1)?;
         let len = len.checked_sub(offset).ok_or(-1)?;
         let len = len.min(dst.len());
+        let in_bounds = check_bounds_signed(len as c_long, 0, dst.len() as c_long + 1);
+        if !in_bounds {
+            return Err(-1);
+        }
         let len_u32 = u32::try_from(len).map_err(|core::num::TryFromIntError { .. }| -1)?;
         let ret = unsafe {
             bpf_skb_load_bytes(