Add frame buffer pointer check to Arty A7 Ethernet driver.
Although the frame pointer and its length are supplied by the firewall
which is trusted, the firewall does not check the pointer which is
coming from external untrusted components. We must therefore check it.
Signed-off-by: Hugo Lefeuvre <hugo.lefeuvre@scisemi.com>
diff --git a/sdk/include/platform/arty-a7/platform-ethernet.hh b/sdk/include/platform/arty-a7/platform-ethernet.hh
index 2073ea3..900fe1c 100644
--- a/sdk/include/platform/arty-a7/platform-ethernet.hh
+++ b/sdk/include/platform/arty-a7/platform-ethernet.hh
@@ -741,6 +741,17 @@
while (transmitControl & 1) {}
// Write the frame to the transmit buffer.
auto transmitBuffer = transmit_buffer_pointer();
+ // We must check the frame pointer and its length. Although it
+ // is supplied by the firewall which is trusted, the firewall
+ // does not check the pointer which is coming from external
+ // untrusted components.
+ Timeout t{10};
+ if ((heap_claim_fast(&t, buffer) < 0) ||
+ (!CHERI::check_pointer<CHERI::PermissionSet{
+ CHERI::Permission::Load}>(buffer, length)))
+ {
+ return false;
+ }
memcpy(transmitBuffer, buffer, length);
if (!check(transmitBuffer, length))
{
