vpp icon indicating copy to clipboard operation
vpp copied to clipboard
verified publisher icon FDio

[VPP-2078] binapi crashes with autoendian arrays

Open vvalderrv opened this issue 10 months ago • 2 comments

Description

The generated code for the following message

autoendian autoreply define sw_interface_set_tx_placement
{
    u32 client_index;
    u32 context;
    vl_api_interface_index_t sw_if_index;
    u32 queue_id;
    u32 array_size;
    u32 threads[array_size];
};
Outputs the following, 
static inline void vl_api_sw_interface_set_tx_placement_t_endian (vl_api_sw_interface_set_tx_placement_t *a)
{
    int i __attribute__((unused));
    for (i = 0; i array_size; i++) {
        a->threads[i] = clib_net_to_host_u32(a->threads[i]);
    }
    a->_vl_msg_id = clib_net_to_host_u16(a->_vl_msg_id);
    /* a->client_index = a->client_index (no-op) */
    a->context = clib_net_to_host_u32(a->context);
    vl_api_interface_index_t_endian(&a->sw_if_index);
    a->queue_id = clib_net_to_host_u32(a->queue_id);
    a->array_size = clib_net_to_host_u32(a->array_size);
}
As a consequence, we are reading an insanely big (a->array_size) array and end up segfaulting further in VPP.

Assignee

Unassigned

Reporter

Nathan Skrzypczak

Comments

Cherry-picked to stable/2306: https://gerrit.fd.io/r/c/vpp/+/39045

Original issue: https://jira.fd.io/browse/VPP-2078

vvalderrv avatar Feb 02 '25 15:02 vvalderrv