From c0faa923216836d25ed55c030cd576bbac3ca1d3 Mon Sep 17 00:00:00 2001
From: Stewart Smith <stewart@linux.ibm.com>
Date: Mon, 18 Mar 2019 16:52:17 +1100
Subject: hdata: Add protection against corrupt ntuples structure

Found using afl-lop on P9 HDAT. Pretty obvious what the problem is once
you look at it, and it's much better having a controlled failure mode
than just going off randomly into memory and segfaulting.

Signed-off-by: Stewart Smith <stewart@linux.ibm.com>
Reviewed-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.ibm.com>
---
 hdata/spira.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

(limited to 'hdata')

diff --git a/hdata/spira.c b/hdata/spira.c
index 56218709..43c76f97 100644
--- a/hdata/spira.c
+++ b/hdata/spira.c
@@ -215,9 +215,30 @@ struct HDIF_common_hdr *__get_hdif(struct spira_ntuple *n, const char id[],
 				   const char *file, int line)
 {
 	struct HDIF_common_hdr *h = ntuple_addr(n);
+	u16 act_cnt, alloc_cnt;
+	u32 act_len, alloc_len;
+
 	if (!spira_check_ptr(h, file, line))
 		return NULL;
 
+	act_cnt = be16_to_cpu(n->act_cnt);
+	alloc_cnt = be16_to_cpu(n->alloc_cnt);
+
+	if (act_cnt > alloc_cnt) {
+		prerror("SPIRA: bad ntuple, act_cnt > alloc_cnt (%u > %u)\n",
+			act_cnt, alloc_cnt);
+		return NULL;
+	}
+
+	act_len = be32_to_cpu(n->act_len);
+	alloc_len = be32_to_cpu(n->alloc_len);
+
+	if (act_len > alloc_len) {
+		prerror("SPIRA: bad ntuple, act_len > alloc_len (%u > %u)\n",
+			act_len, alloc_len);
+		return NULL;
+	}
+
 	if (!HDIF_check(h, id)) {
 		prerror("SPIRA: bad tuple %p: expected %s at %s line %d\n",
 			h, id, file, line);
-- 
cgit v1.2.1