From dc94f1468e21503c7f666c25649d6bee3d6d6524 Mon Sep 17 00:00:00 2001
From: JP Kobryn <jpkobryn@meta.com>
Date: Tue, 5 Sep 2023 12:10:21 -0700
Subject: [PATCH] prevent overflow on invalid fragment values
Summary: prevent invalid fragment values from leading to a buffer overrun
Reviewed By: kernelslacker
Differential Revision: D48924553
fbshipit-source-id: 786e7afc3d4f361235e9d5be8b9292da032f2d27
---
ncrx/libncrx.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/ncrx/libncrx.c b/ncrx/libncrx.c
index 1ba31d2..89c78d7 100644
--- a/ncrx/libncrx.c
+++ b/ncrx/libncrx.c
@@ -599,6 +599,16 @@ static int ncrx_queue_payload(const char *payload, struct ncrx *ncrx,
int off = tmsg.ncfrag_off;
int i;
+ /*
+ * we're merging a text fragment into the message text buffer.
+ * the checks done here ensure that the received fragment values
+ * are within bounds of the message text buffer.
+ */
+ if (off >= msg->text_len ||
+ off + tmsg.ncfrag_len > msg->text_len) {
+ return -1;
+ }
+
for (i = 0; i < tmsg.ncfrag_len; i++) {
if (msg->text[off + i])
continue;