Fix out-of-boundary read in rule engines

5 years ago · 270210a8ab
parent 00b9f4c557
commit 270210a8ab
2 changed files with 4 additions and 2 deletions
--- a/OpenCL/inc_rp.cl
+++ b/OpenCL/inc_rp.cl
@ -769,7 +769,8 @@ DECLSPEC int apply_rules (CONSTANT_AS const u32 *cmds, u32 *buf, const int in_le
    const u8 p0   = (cmd >>  8) & 0xff;
    const u8 p1   = (cmd >> 16) & 0xff;

-    out_len = apply_rule (name, p0, p1, buf, out_len);
+    // we need to guarantee input length < 256 otherwise functions like rule_op_mangle_switch_last() and others will read out of boundary
+    out_len = apply_rule (name, p0, p1, buf, out_len & 255);
  }

  return out_len;
--- a/OpenCL/inc_rp_optimized.cl
+++ b/OpenCL/inc_rp_optimized.cl
@ -2349,7 +2349,8 @@ DECLSPEC u32 apply_rules_optimized (CONSTANT_AS const u32 *cmds, u32 *buf0, u32
    const u32 p0   = (cmd >>  8) & 0xff;
    const u32 p1   = (cmd >> 16) & 0xff;

-    out_len = apply_rule_optimized (name, p0, p1, buf0, buf1, out_len);
+    // we need to guarantee input length < 32 otherwise functions like rule_op_mangle_switch_last() and others will read out of boundary
+    out_len = apply_rule_optimized (name, p0, p1, buf0, buf1, out_len & 31);
  }

  return out_len;