Added bounds check to SkBuff.load_bytes

1 month ago · cd2451ccd0
parent 6f404f5edb
commit cd2451ccd0
2 changed files with 5 additions and 2 deletions
--- a/ebpf/aya-ebpf/src/programs/sk_buff.rs
+++ b/ebpf/aya-ebpf/src/programs/sk_buff.rs
@ -10,7 +10,7 @@ use aya_ebpf_bindings::helpers::{
 };
 use aya_ebpf_cty::c_long;

-use crate::{EbpfContext, bindings::__sk_buff};
+use crate::{bindings::__sk_buff, check_bounds_signed, EbpfContext};

 pub struct SkBuff {
    pub skb: *mut __sk_buff,
@ -90,6 +90,9 @@ impl SkBuff {
        let len = usize::try_from(self.len()).map_err(|core::num::TryFromIntError { .. }| -1)?;
        let len = len.checked_sub(offset).ok_or(-1)?;
        let len = len.min(dst.len());
+        if !check_bounds_signed(len as c_long, 1, dst.len() as c_long) {
+            return Err(-1);
+        }
        let len_u32 = u32::try_from(len).map_err(|core::num::TryFromIntError { .. }| -1)?;
        let ret = unsafe {
            bpf_skb_load_bytes(
--- a/test/integration-ebpf/src/socket_filter.rs
+++ b/test/integration-ebpf/src/socket_filter.rs
@ -7,7 +7,7 @@ use aya_ebpf::{macros::socket_filter, programs::SkBuffContext};
 #[socket_filter]
 pub fn read_one(ctx: SkBuffContext) -> i64 {
    // Read 1 byte
-    let mut dst = [0; 1];
+    let mut dst = [0; 2];
    let _ = ctx.load_bytes(0, &mut dst);

    0