Fix panic and wrong delete index in generated _SetVendor#140
Open
jamiesun wants to merge 1 commit into
Open
Conversation
The generated _<Vendor>_SetVendor helper, emitted for every vendor dictionary, had two defects: 1. The sub-attribute scan read a fixed offset (vsa[0], vsa[1]) instead of the running cursor (vsa[j], vsa[j+1]) and always advanced j, even after the matched sub-attribute was removed and vsa was shortened. Setting the same vendor attribute twice -- or setting one already present on an inbound packet -- panicked with "slice bounds out of range". 2. An emptied VSA was removed with the wrong index (i+i instead of i+1): a no-op at i==0 and dropping unrelated attributes / panicking at i>=2. The scan now reads type/length at the cursor, only advances the cursor when the sub-attribute does not match, rewrites the VSA at its correct new length (no stale trailing bytes), and deletes an emptied VSA with i+1. The affected vendor/rfc dictionaries are regenerated and regression tests are added. Refs: layeh#121, layeh#129, layeh#125 Refs: talkincode/toughradius#324 Co-authored-by: Copilot <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The generated
_<Vendor>_SetVendorhelper (emitted into every vendor dictionary byradius-dict-gen) can panic withslice bounds out of range, and uses a wrong index when removing an emptied Vendor-Specific attribute. This fixes the generator template and regenerates the affected dictionaries.This is the same crash reported in #121 (Juniper MX80 / ERX, also hit with 3GPP-IMEISV), and it was independently re-reported downstream in talkincode/toughradius#324, which additionally pinned down the
i+idelete-index defect.Defects (in
dictionarygen/vendor.go,_<Vendor>_SetVendor)Panic in the sub-attribute scan. The loop read the type/length at a fixed offset
vsa[0], vsa[1]instead of the running cursorvsa[j], vsa[j+1], and unconditionally advancedj += int(vsaLen). After a matching sub-attribute is removed (vsa = append(vsa[:j], vsa[j+int(vsaLen):]...)) the slice shrinks, so advancingjruns past the end andlen(vsa[j:])panics. Reproduces by setting the same vendor attribute twice on one packet.Wrong delete index. An emptied VSA was removed with
p.Attributes[i+i:]instead ofp.Attributes[i+1:]— a no-op ati==0, and dropping unrelated attributes (or panicking) ati>=2.A third, coupled correctness issue: the
len(vsa) > 0write-back usedcopy(avp.Attribute[4:], vsa), which never shrinksavp.Attribute, leaving stale trailing bytes when a multi-sub-attribute VSA loses one entry.Fix
vsaTyp, vsaLen := vsa[j], vsa[j+1]at the cursor.jonly when the sub-attribute does not match (matching entries are spliced out in place).p.Attributes[i].Attribute = append(avp.Attribute[:4:4], vsa...).i+1.vendors/{aruba,microsoft,mikrotik,wispr}andrfc4679.Tests
Added
vendors/mikrotik/setvendor_test.go:TestSetVendorReplaceSameAttribute— the reported double-set panic.TestSetVendorDeletesEmptyVSAAtNonZeroIndex— thei+iout-of-range delete at index ≥ 2.TestSetVendorPreservesOtherSubAttributes— a VSA packing several sub-attributes is rewritten without stale bytes.go build ./...,go vet, and the fullgo test ./...suite pass. Verified the new tests panic on the pre-fix code.Relation to prior work
Thanks to @maddsua for reporting #121 and proposing #125 / #129. Those PRs change the loop bound to
len(vsa)-j, which stops the panic but keeps the fixed-offsetvsa[0], vsa[1]read and does not address thei+idelete index. This PR covers both, plus the write-back resize.Closes #121