Avoid panic in TcU32Selector parsing

Jeff-A-Martin · cathay4t · commit c49e3acbc63e · 2024-08-12T20:05:40.000+08:00
`TcU32SelectorBuffer::new_checked` returns an error when the underlying
buffer is not large enough to contain `nkeys`. This avoids an
index-out-of-bounds panic in `TcU32Selector::parse`, when extracting
keys from the underlying buffer.
diff --git a/src/tc/filters/cls_u32.rs b/src/tc/filters/cls_u32.rs
@@ -177,7 +177,7 @@ pub struct TcU32Selector {
     pub keys: Vec<TcU32Key>,
 }
 
-buffer!(TcU32SelectorBuffer(TC_U32_SEL_BUF_LEN) {
+buffer!(TcU32SelectorBuffer {
     flags: (u8, 0),
     offshift: (u8, 1),
     nkeys: (u8, 2),
@@ -190,6 +190,35 @@ buffer!(TcU32SelectorBuffer(TC_U32_SEL_BUF_LEN) {
     keys: (slice, TC_U32_SEL_BUF_LEN..),
 });
 
+impl<T: AsRef<[u8]>> TcU32SelectorBuffer<T> {
+    pub fn new_checked(buffer: T) -> Result<Self, DecodeError> {
+        let packet = Self::new(buffer);
+        packet.check_buffer_length()?;
+        Ok(packet)
+    }
+
+    fn check_buffer_length(&self) -> Result<(), DecodeError> {
+        let len = self.buffer.as_ref().len();
+        if len < TC_U32_SEL_BUF_LEN {
+            return Err(format!(
+                "invalid TcU32SelectorBuffer: length {len} < {TC_U32_SEL_BUF_LEN}"
+            )
+            .into());
+        }
+        // Expect the buffer to be large enough to hold `nkeys`.
+        let expected_len =
+            ((self.nkeys() as usize) * TC_U32_KEY_BUF_LEN) + TC_U32_SEL_BUF_LEN;
+        if len < expected_len {
+            return Err(format!(
+                "invalid RouteNextHopBuffer: length {} < {}",
+                len, expected_len,
+            )
+            .into());
+        }
+        Ok(())
+    }
+}
+
 impl Emitable for TcU32Selector {
     fn buffer_len(&self) -> usize {
         TC_U32_SEL_BUF_LEN + (self.nkeys as usize * TC_U32_KEY_BUF_LEN)
diff --git a/src/tc/filters/mod.rs b/src/tc/filters/mod.rs
@@ -6,6 +6,7 @@ mod u32_flags;
 
 pub use self::cls_u32::{
     TcFilterU32, TcFilterU32Option, TcU32Key, TcU32Selector,
+    TcU32SelectorBuffer,
 };
 pub use self::matchall::{TcFilterMatchAll, TcFilterMatchAllOption};
 pub use u32_flags::{TcU32OptionFlags, TcU32SelectorFlags};
diff --git a/src/tc/mod.rs b/src/tc/mod.rs
@@ -20,7 +20,8 @@ pub use self::actions::{
 pub use self::attribute::TcAttribute;
 pub use self::filters::{
     TcFilterMatchAll, TcFilterMatchAllOption, TcFilterU32, TcFilterU32Option,
-    TcU32Key, TcU32OptionFlags, TcU32Selector, TcU32SelectorFlags,
+    TcU32Key, TcU32OptionFlags, TcU32Selector, TcU32SelectorBuffer,
+    TcU32SelectorFlags,
 };
 pub use self::header::{TcHandle, TcHeader, TcMessageBuffer};
 pub use self::message::TcMessage;
diff --git a/src/tc/tests/filter_u32.rs b/src/tc/tests/filter_u32.rs
@@ -9,6 +9,7 @@ use crate::{
         filters::{TcU32OptionFlags, TcU32SelectorFlags},
         TcAttribute, TcFilterU32Option, TcHandle, TcHeader, TcMessage,
         TcMessageBuffer, TcOption, TcU32Key, TcU32Selector,
+        TcU32SelectorBuffer,
     },
     AddressFamily,
 };
@@ -112,3 +113,23 @@ fn test_get_filter_u32() {
 
     assert_eq!(buf, raw);
 }
+
+// Verify that [`TcU32Selector`] fails to parse a buffer with an
+// invalid number of keys.
+#[test]
+fn test_tcu32_selector_invalid_nkeys() {
+    // TC u32 selector buffer layout:
+    // |byte0|byte1|byte2|byte3|byte4|byte5|byte6|byte7|
+    // |-----|-----|-----|-----|-----|-----|-----|-----|
+    // |flags|shift|nkeys|pad  |  offmask  |    off    |
+    // |-----|-----|-----|-----|-----|-----|-----|-----|
+    // |   offoff  |   hoff    |         hmask         |
+    // |-----|-----|-----|-----|-----|-----|-----|-----|
+    // |                     keys                      |
+    // |                      ...                      |
+    let buffer = [
+        0x00, 0x00, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00,
+    ];
+    assert!(TcU32SelectorBuffer::new_checked(buffer).is_err());
+}
