Skip to content

Commit

Permalink
sys/net/gnrc_pktbuf_static: add use-after-free detection
Browse files Browse the repository at this point in the history
  • Loading branch information
benpicco committed Jun 17, 2022
1 parent 14afafa commit 7396095
Showing 1 changed file with 44 additions and 0 deletions.
44 changes: 44 additions & 0 deletions sys/net/gnrc/pktbuf_static/gnrc_pktbuf_static.c
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,15 @@
#define ENABLE_DEBUG 0
#include "debug.h"

/**
* @brief enable use-after-free detection
*/
#ifndef CONFIG_GNRC_PKTBUF_CHECK_USE_AFTER_FREE
#define CONFIG_GNRC_PKTBUF_CHECK_USE_AFTER_FREE (0)
#endif

#define CANARY 0x55

/* The static buffer needs to be aligned to word size, so that its start
* address can be casted to `_unused_t *` safely. Just allocating an array of
* (word sized) uintptr_t is a trivial way to do this */
Expand All @@ -53,6 +62,18 @@ static gnrc_pktsnip_t *_create_snip(gnrc_pktsnip_t *next, const void *data, size
gnrc_nettype_t type);
static void *_pktbuf_alloc(size_t size);

static const void *mem_is_set(const void *data, uint8_t c, size_t len)
{
const uint8_t *end = (uint8_t *)data + len;
for (const uint8_t *d = data; d != end; ++d) {
if (c != *d) {
return d;
}
}

return NULL;
}

static inline void _set_pktsnip(gnrc_pktsnip_t *pkt, gnrc_pktsnip_t *next,
void *data, size_t size, gnrc_nettype_t type)
{
Expand All @@ -69,6 +90,9 @@ static inline void _set_pktsnip(gnrc_pktsnip_t *pkt, gnrc_pktsnip_t *next,
void gnrc_pktbuf_init(void)
{
mutex_lock(&gnrc_pktbuf_mutex);
if (CONFIG_GNRC_PKTBUF_CHECK_USE_AFTER_FREE) {
memset(_pktbuf_buf, CANARY, sizeof(_pktbuf_buf));
}
_first_unused = (_unused_t *)_pktbuf_buf;
_first_unused->next = NULL;
_first_unused->size = sizeof(_pktbuf_buf);
Expand Down Expand Up @@ -412,6 +436,18 @@ static void *_pktbuf_alloc(size_t size)
max_byte_count = last_byte;
}
#endif

const void *mismatch;
if (CONFIG_GNRC_PKTBUF_CHECK_USE_AFTER_FREE &&
(mismatch = mem_is_set(ptr + 1, CANARY, size - sizeof(_unused_t)))) {
printf("[%p] mismatch at offset %u/%u\n",
(void *)ptr, (uintptr_t)mismatch - (uintptr_t)ptr, size);
#ifdef MODULE_OD
od_hex_dump(ptr, size, 0);
#endif
assert(0);
}

return (void *)ptr;
}

Expand All @@ -426,6 +462,9 @@ static inline _unused_t *_merge(_unused_t *a, _unused_t *b)

a->next = b->next;
a->size = b->size + ((uint8_t *)b - (uint8_t *)a);
if (CONFIG_GNRC_PKTBUF_CHECK_USE_AFTER_FREE) {
memset(b, CANARY, sizeof(*b));
}
return a;
}

Expand All @@ -437,6 +476,11 @@ void gnrc_pktbuf_free_internal(void *data, size_t size)
if (!gnrc_pktbuf_contains(data)) {
return;
}

if (CONFIG_GNRC_PKTBUF_CHECK_USE_AFTER_FREE) {
memset(data, CANARY, _align(size));
}

while (ptr && (((void *)ptr) < data)) {
prev = ptr;
ptr = ptr->next;
Expand Down

0 comments on commit 7396095

Please sign in to comment.