Fix panic on consume in a mixed push/consume case

headerOffset() is incorrectly taking account of previous push(), so it thinks there is more data to consume. This change switches to use pk.reserved as pivot point. Reported-by: syzbot+64fef9acd509976f9ce7@syzkaller.appspotmail.com PiperOrigin-RevId: 373846283
2021-05-14 12:47:26 -07:00 · 2021-05-14 12:47:26 -07:00 · 436148d68a
parent 78ae3db1a3
commit 436148d68a
2 changed files with 32 additions and 1 deletions
--- a/pkg/tcpip/stack/packet_buffer.go
+++ b/pkg/tcpip/stack/packet_buffer.go
@ -261,7 +261,7 @@ func (pk *PacketBuffer) consume(typ headerType, size int) (v tcpipbuffer.View, c
 	if h.length > 0 {
 		panic(fmt.Sprintf("consume must not be called twice: type %s", typ))
 	}
-	if pk.headerOffset()+pk.consumed+size > int(pk.buf.Size()) {
+	if pk.reserved+pk.consumed+size > int(pk.buf.Size()) {
 		return nil, false
 	}
 	h.offset = pk.consumed
--- a/pkg/tcpip/stack/packet_buffer_test.go
+++ b/pkg/tcpip/stack/packet_buffer_test.go
@ -259,6 +259,37 @@ func TestPacketHeaderPushConsumeMixed(t *testing.T) {
 	})
 }

+func TestPacketHeaderPushConsumeMixedTooLong(t *testing.T) {
+	link := makeView(10)
+	network := makeView(20)
+	data := makeView(30)
+
+	initData := concatViews(network, data)
+	pk := NewPacketBuffer(PacketBufferOptions{
+		ReserveHeaderBytes: len(link),
+		Data:               buffer.NewViewFromBytes(initData).ToVectorisedView(),
+	})
+
+	// 1. Push link header
+	copy(pk.LinkHeader().Push(len(link)), link)
+
+	checkPacketContents(t, "" /* prefix */, pk, packetContents{
+		link: link,
+		data: initData,
+	})
+
+	// 2. Consume network header, with a number of bytes too large.
+	gotNetwork, ok := pk.NetworkHeader().Consume(len(initData) + 1)
+	if ok {
+		t.Fatalf("pk.NetworkHeader().Consume(%d) = %q, true; want _, false", len(initData)+1, gotNetwork)
+	}
+
+	checkPacketContents(t, "" /* prefix */, pk, packetContents{
+		link: link,
+		data: initData,
+	})
+}
+
 func TestPacketHeaderPushCalledAtMostOnce(t *testing.T) {
 	const headerSize = 10