From dc94f1468e21503c7f666c25649d6bee3d6d6524 Mon Sep 17 00:00:00 2001
From: JP Kobryn <jpkobryn@meta.com>
Date: Tue, 5 Sep 2023 12:10:21 -0700
Subject: [PATCH] prevent overflow on invalid fragment values

Summary: prevent invalid fragment values from leading to a buffer overrun

Reviewed By: kernelslacker

Differential Revision: D48924553

fbshipit-source-id: 786e7afc3d4f361235e9d5be8b9292da032f2d27
---
 ncrx/libncrx.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/ncrx/libncrx.c b/ncrx/libncrx.c
index 1ba31d2..89c78d7 100644
--- a/ncrx/libncrx.c
+++ b/ncrx/libncrx.c
@@ -599,6 +599,16 @@ static int ncrx_queue_payload(const char *payload, struct ncrx *ncrx,
 		int off = tmsg.ncfrag_off;
 		int i;
 
+		/*
+		 * we're merging a text fragment into the message text buffer.
+		 * the checks done here ensure that the received fragment values
+		 * are within bounds of the message text buffer.
+		 */
+		if (off >= msg->text_len ||
+			off + tmsg.ncfrag_len > msg->text_len) {
+			return -1;
+		}
+
 		for (i = 0; i < tmsg.ncfrag_len; i++) {
 			if (msg->text[off + i])
 				continue;