Validate jump target before updating vm->int_funcs

Signed-off-by: Alan Jowett <alan.jowett@microsoft.com>
iovisor · Apr 22, 2024 · de908a1 · de908a1
1 parent dfd2e9c
commit de908a1
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/vm/ubpf_vm.c b/vm/ubpf_vm.c
@@ -245,6 +245,10 @@ ubpf_load(struct ubpf_vm* vm, const void* code, uint32_t code_len, char** errmsg
          */
         if (source_inst[i].opcode == EBPF_OP_CALL && source_inst[i].src == 1) {
             uint32_t target = i + source_inst[i].imm + 1;
+            if (target >= vm->num_insts) {
+                *errmsg = ubpf_error("invalid call target %u", target);
+                return -1;
+            }
             vm->int_funcs[target] = true;
         }
         // Store instructions in the vm.