pcn-firewall: fix out of bound access in show rule

mbertrone · mbertrone · commit 98c90ea433f4 · 2019-05-21T16:15:29.000+02:00
add test for indexes out of range

Signed-off-by: Matteo Bertrone &lt;m.bertrone@gmail.com&gt;
diff --git a/src/services/pcn-firewall/src/Chain.cpp b/src/services/pcn-firewall/src/Chain.cpp
@@ -511,7 +511,7 @@ void Chain::delStatsList() {
 }
 
 std::shared_ptr<ChainRule> Chain::getRule(const uint32_t &id) {
-  if (rules_.size() < id || !rules_[id]) {
+  if (rules_.size() <= id || !rules_[id]) {
     throw std::runtime_error("There is no rule " + id);
   }
   return rules_[id];
diff --git a/src/services/pcn-firewall/test/general/test_wrong_position.sh b/src/services/pcn-firewall/test/general/test_wrong_position.sh
@@ -0,0 +1,74 @@
+# PING testing rule appending
+
+source "${BASH_SOURCE%/*}/../helpers.bash"
+
+function fwcleanup {
+  set +e
+  polycubectl firewall del fw
+  delete_veth 2
+}
+trap fwcleanup EXIT
+
+echo -e '\nTest wrong position \n'
+set -e
+set -x
+
+create_veth 2
+
+polycubectl firewall add fw loglevel=DEBUG
+polycubectl attach fw veth1
+
+# INGRESS one rule
+polycubectl firewall fw chain INGRESS append src=10.0.0.1 dst=10.0.0.2 l4proto=ICMP action=FORWARD
+
+#EGRESS multiple rules
+polycubectl firewall fw chain EGRESS append src=10.0.0.2/32 dst=10.0.0.1/32 l4proto=ICMP action=FORWARD
+polycubectl firewall fw chain EGRESS append src=10.0.0.2/32 dst=10.0.0.1/32 l4proto=ICMP action=FORWARD
+polycubectl firewall fw chain EGRESS append src=10.0.0.2/32 dst=10.0.0.1/32 l4proto=ICMP action=FORWARD
+polycubectl firewall fw chain EGRESS append src=10.0.0.2/32 dst=10.0.0.1/32 l4proto=ICMP action=FORWARD
+
+# Test out of bound access
+set +e
+polycubectl fw chain EGRESS rule del -1
+polycubectl fw chain EGRESS rule del 4
+polycubectl fw chain EGRESS rule del 5
+polycubectl fw chain EGRESS rule del 10
+set -e
+
+# test fw to be still alive
+polycubectl fw chain EGRESS show
+
+set +e
+polycubectl fw chain EGRESS rule show -1
+polycubectl fw chain EGRESS rule show 4
+polycubectl fw chain EGRESS rule show 5
+polycubectl fw chain EGRESS rule show 10
+set -e
+
+# test fw to be still alive
+polycubectl fw chain EGRESS show
+
+set +e
+polycubectl fw chain INGRESS rule del -1
+polycubectl fw chain INGRESS rule del 1
+polycubectl fw chain INGRESS rule del 2
+polycubectl fw chain INGRESS rule del 10
+
+polycubectl fw chain INGRESS rule show -1
+polycubectl fw chain INGRESS rule show 1
+polycubectl fw chain INGRESS rule show 2
+polycubectl fw chain INGRESS rule show 10
+set -e
+
+# test fw to be still alive
+polycubectl fw chain EGRESS show
+
+polycubectl fw chain EGRESS show rule 0
+polycubectl fw chain EGRESS show rule 1
+polycubectl fw chain EGRESS show rule 2
+polycubectl fw chain EGRESS show rule 3
+
+polycubectl fw chain INGRESS show rule 0
+
+
+

Original file line number	Diff line number	Diff line change
`@@ -511,7 +511,7 @@ void Chain::delStatsList() {`
`511`	`511`	`}`
`512`	`512`
`513`	`513`	`std::shared_ptr<ChainRule> Chain::getRule(const uint32_t &id) {`
`514`		`- if (rules_.size() < id \|\| !rules_[id]) {`
	`514`	`+ if (rules_.size() <= id \|\| !rules_[id]) {`
`515`	`515`	`throw std::runtime_error("There is no rule " + id);`
`516`	`516`	`}`
`517`	`517`	`return rules_[id];`