Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / slpd-lite / eebd0815512b9987c2e5c65e6bd78ab467c39c4a^! / . / slp_message_handler.cpp
commiteebd0815512b9987c2e5c65e6bd78ab467c39c4a[log] [tgz]
authorAndrew Geissler <geissonator@yahoo.com>Fri May 24 10:05:27 2024 -0500
committerAndrew Geissler <geissonator@yahoo.com>Tue May 28 15:25:42 2024 -0500
tree0256f33cedaaf918d0ebca544a1e9c459b6962c5
parentc668313e9ff39b606410ed4b0208f9c1ab36ccba [diff] [blame]
Only allow a maximum packet size of 255 bytes

This code was written with an assumption that the input/output buffer
sizes would not exceed 255 bytes. The assumption can be seen throughout
the code where it is using a "uint8_t" for size calculations when doing
offsets into the data buffers.

As this application was written for OpenBMC and the service list
provided by OpenBMC is very minimal, supporting a maximum request
buffer of 255 bytes is a fine assumption. Just need to enforce it.

Without this change, very unexpected things can happen with uint8_t
overflow issues when a packet size greater then 255 bytes is passed in
or created internally.

Tested:
- Verified a request with a packet size over 255 bytes is rejected

Change-Id: Icec15fe100d6514a3309fa89e9f79d565de05553
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>

diff --git a/slp_message_handler.cpp b/slp_message_handler.cpp
index b159ef7..b0e0cdd 100644
--- a/slp_message_handler.cpp
+++ b/slp_message_handler.cpp

@@ -110,6 +110,20 @@
 
     std::cout << "service=" << service.c_str() << "\n";
 
+    // See if total response size exceeds our max
+    uint32_t totalLength =
+        buff.size() +                 /* 14 bytes header + length of langtag */
+        slp::response::SIZE_ERROR +   /* 2 byte err code */
+        slp::response::SIZE_SERVICE + /* 2 byte srvtype len */
+        service.length();
+    if (totalLength > slp::MAX_LEN)
+    {
+        std::cerr << "Message response size exceeds maximum allowed: "
+                  << totalLength << " / " << slp::MAX_LEN << std::endl;
+        buff.resize(0);
+        return std::make_tuple((int)slp::Error::PARSE_ERROR, buff);
+    }
+
     uint8_t length = buff.size() + /* 14 bytes header + length of langtag */
                      slp::response::SIZE_ERROR +   /* 2 byte err code */
                      slp::response::SIZE_SERVICE + /* 2 byte srvtype len */
@@ -214,6 +228,17 @@
         std::string url = svc.name + ':' + svc.type + "//" + addr + ',' +
                           svc.port;
 
+        // See if total response size exceeds our max
+        uint32_t totalLength = buff.size() + slp::response::SIZE_URL_ENTRY +
+                               url.length();
+        if (totalLength > slp::MAX_LEN)
+        {
+            std::cerr << "Message response size exceeds maximum allowed: "
+                      << totalLength << " / " << slp::MAX_LEN << std::endl;
+            buff.resize(0);
+            return std::make_tuple((int)slp::Error::PARSE_ERROR, buff);
+        }
+
         buff.resize(buff.size() + slp::response::SIZE_URL_ENTRY + url.length());
 
         uint8_t reserved = 0;