From cd2451ccd0656f0bcddbb90501c53dfdcaf1c09d Mon Sep 17 00:00:00 2001
From: Ryan Alameddine <rhalameddine@gmail.com>
Date: Fri, 14 Mar 2025 23:35:45 -0700
Subject: [PATCH] Added bounds check to SkBuff.load_bytes

---
 ebpf/aya-ebpf/src/programs/sk_buff.rs      | 5 ++++-
 test/integration-ebpf/src/socket_filter.rs | 2 +-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/ebpf/aya-ebpf/src/programs/sk_buff.rs b/ebpf/aya-ebpf/src/programs/sk_buff.rs
index 46fd9cb6..6602f17d 100644
--- a/ebpf/aya-ebpf/src/programs/sk_buff.rs
+++ b/ebpf/aya-ebpf/src/programs/sk_buff.rs
@@ -10,7 +10,7 @@ use aya_ebpf_bindings::helpers::{
 };
 use aya_ebpf_cty::c_long;
 
-use crate::{EbpfContext, bindings::__sk_buff};
+use crate::{bindings::__sk_buff, check_bounds_signed, EbpfContext};
 
 pub struct SkBuff {
     pub skb: *mut __sk_buff,
@@ -90,6 +90,9 @@ impl SkBuff {
         let len = usize::try_from(self.len()).map_err(|core::num::TryFromIntError { .. }| -1)?;
         let len = len.checked_sub(offset).ok_or(-1)?;
         let len = len.min(dst.len());
+        if !check_bounds_signed(len as c_long, 1, dst.len() as c_long) {
+            return Err(-1);
+        }
         let len_u32 = u32::try_from(len).map_err(|core::num::TryFromIntError { .. }| -1)?;
         let ret = unsafe {
             bpf_skb_load_bytes(
diff --git a/test/integration-ebpf/src/socket_filter.rs b/test/integration-ebpf/src/socket_filter.rs
index b9cf4cd8..ca3ec61c 100644
--- a/test/integration-ebpf/src/socket_filter.rs
+++ b/test/integration-ebpf/src/socket_filter.rs
@@ -7,7 +7,7 @@ use aya_ebpf::{macros::socket_filter, programs::SkBuffContext};
 #[socket_filter]
 pub fn read_one(ctx: SkBuffContext) -> i64 {
     // Read 1 byte
-    let mut dst = [0; 1];
+    let mut dst = [0; 2];
     let _ = ctx.load_bytes(0, &mut dst);
 
     0