Skip to content

Commit

Permalink
core: Limit maximum size of an assembled MCTP message
Browse files Browse the repository at this point in the history
If libmctp receives sequence of fragment MCTP packets and never receives
EOM packet, this will cause heap memory to grow without bounds. This
commit puts an upper cap on maximum MCTP message size. This should
protect us from any malicious device trying to exploiting this.

Also, this prevents overwhelming of the device's resources.
Section 10.1.5 of DSP0236 (v1.3.1) allows configuration of
endpoints to protect its resources.

Signed-off-by: Sumanth Bhat <[email protected]>
Change-Id: Id62cfab7c25b3e1ccf955f2e924844b58b4be154
  • Loading branch information
sumbhat90 committed Jul 14, 2020
1 parent d97869d commit 2c820c5
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 4 deletions.
26 changes: 22 additions & 4 deletions core.c
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,7 @@ struct mctp {
ROUTE_ENDPOINT,
ROUTE_BRIDGE,
} route_policy;
size_t max_message_size;
};

#ifndef BUILD_ASSERT
Expand All @@ -68,6 +69,12 @@ struct mctp {
#define ARRAY_SIZE(a) (sizeof(a) / sizeof(a[0]))
#endif

/* 64kb should be sufficient for a single message. Applications
* requiring higher sizes can override by setting max_message_size.*/
#ifndef MCTP_MAX_MESSAGE_SIZE
#define MCTP_MAX_MESSAGE_SIZE 65536
#endif

static int mctp_message_tx_on_bus(struct mctp_bus *bus, mctp_eid_t src,
mctp_eid_t dest, void *msg, size_t msg_len);

Expand Down Expand Up @@ -195,7 +202,7 @@ static void mctp_msg_ctx_reset(struct mctp_msg_ctx *ctx)
}

static int mctp_msg_ctx_add_pkt(struct mctp_msg_ctx *ctx,
struct mctp_pktbuf *pkt)
struct mctp_pktbuf *pkt, size_t max_size)
{
size_t len;

Expand All @@ -212,6 +219,11 @@ static int mctp_msg_ctx_add_pkt(struct mctp_msg_ctx *ctx,
new_alloc_size = ctx->buf_alloc_size * 2;
}

/* Don't allow heap to grow beyond a limit */
if (new_alloc_size > max_size)
return -1;


lbuf = __mctp_realloc(ctx->buf, new_alloc_size);
if (lbuf) {
ctx->buf = lbuf;
Expand All @@ -235,10 +247,16 @@ struct mctp *mctp_init(void)

mctp = __mctp_alloc(sizeof(*mctp));
memset(mctp, 0, sizeof(*mctp));
mctp->max_message_size = MCTP_MAX_MESSAGE_SIZE;

return mctp;
}

void mctp_set_max_message_size(struct mctp *mctp, size_t message_size)
{
mctp->max_message_size = message_size;
}

void mctp_destroy(struct mctp *mctp)
{
size_t i;
Expand Down Expand Up @@ -470,7 +488,7 @@ void mctp_bus_rx(struct mctp_binding *binding, struct mctp_pktbuf *pkt)
hdr->src, hdr->dest, tag);
}

rc = mctp_msg_ctx_add_pkt(ctx, pkt);
rc = mctp_msg_ctx_add_pkt(ctx, pkt, mctp->max_message_size);
if (rc) {
mctp_msg_ctx_drop(ctx);
} else {
Expand All @@ -494,7 +512,7 @@ void mctp_bus_rx(struct mctp_binding *binding, struct mctp_pktbuf *pkt)
goto out;
}

rc = mctp_msg_ctx_add_pkt(ctx, pkt);
rc = mctp_msg_ctx_add_pkt(ctx, pkt, mctp->max_message_size);
if (!rc)
mctp_rx(mctp, bus, ctx->src, ctx->dest,
ctx->buf, ctx->buf_size);
Expand All @@ -517,7 +535,7 @@ void mctp_bus_rx(struct mctp_binding *binding, struct mctp_pktbuf *pkt)
goto out;
}

rc = mctp_msg_ctx_add_pkt(ctx, pkt);
rc = mctp_msg_ctx_add_pkt(ctx, pkt, mctp->max_message_size);
if (rc) {
mctp_msg_ctx_drop(ctx);
goto out;
Expand Down
1 change: 1 addition & 0 deletions libmctp.h
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ struct mctp;
struct mctp_bus;

struct mctp *mctp_init(void);
void mctp_set_max_message_size(struct mctp *mctp, size_t message_size);
void mctp_destroy(struct mctp *mctp);

/* Register a binding to the MCTP core, and creates a bus (populating
Expand Down

0 comments on commit 2c820c5

Please sign in to comment.