From: Jérémie Galarneau <jeremie.galarneau@efficios.com>
Date: Mon, 1 Jun 2020 22:53:45 +0000 (-0400)
Subject: Fix: source.ctf.fs: 0-length packet index length causes SIGFPE
X-Git-Tag: v2.0.4~19
X-Git-Url: http://git.efficios.com/?p=babeltrace.git;a=commitdiff_plain;h=c0b480d3f3773f0b3c8a10640fdaf51eb70b5e1e;hp=71d8a83780bf2ab4902ce7e3a309a635bedfba14

Fix: source.ctf.fs: 0-length packet index length causes SIGFPE

A corrupted index can present a 0-length packet index length
which will result in a division by 0 when computing the index
entry count.

Program terminated with signal SIGFPE, Arithmetic exception.
 #0  0x00007f6ecbd44978 in build_index_from_idx_file (ds_file=0x561ade51ca00, file_info=0x561ade51d000,
    msg_iter=0x561ade51cd00) at data-stream-file.c:640
640		file_entry_count = (filesize - sizeof(*header)) / file_index_entry_size;

The index packet length is checked against the smallest valid size:
the size of an index entry as of the 1.0 CTF index version.

Signed-off-by: Jérémie Galarneau <jeremie.galarneau@efficios.com>
Change-Id: I83c705575d55f3b56ae413d1ce5ae0fc60121f2c
Reviewed-on: https://review.lttng.org/c/babeltrace/+/3606
Tested-by: jenkins <jenkins@lttng.org>
Reviewed-by: Philippe Proulx <eeppeliteloop@gmail.com>
---

diff --git a/src/plugins/ctf/fs-src/data-stream-file.c b/src/plugins/ctf/fs-src/data-stream-file.c
index fe14f8cc..4fe807bb 100644
--- a/src/plugins/ctf/fs-src/data-stream-file.c
+++ b/src/plugins/ctf/fs-src/data-stream-file.c
@@ -648,6 +648,13 @@ struct ctf_fs_ds_index *build_index_from_idx_file(
 	}
 
 	file_index_entry_size = be32toh(header->packet_index_len);
+	if (file_index_entry_size < CTF_INDEX_1_0_SIZE) {
+		BT_COMP_LOGW("Invalid `packet_index_len` in LTTng trace index file (`packet_index_len` < CTF index 1.0 index entry size): "
+			"packet_index_len=%zu, CTF_INDEX_1_0_SIZE=%zu",
+			file_index_entry_size, CTF_INDEX_1_0_SIZE);
+		goto error;
+	}
+
 	file_entry_count = (filesize - sizeof(*header)) / file_index_entry_size;
 	if ((filesize - sizeof(*header)) % file_index_entry_size) {
 		BT_COMP_LOGW("Invalid LTTng trace index: the index's size after the header "
diff --git a/src/plugins/ctf/fs-src/lttng-index.h b/src/plugins/ctf/fs-src/lttng-index.h
index 23747719..70462e7b 100644
--- a/src/plugins/ctf/fs-src/lttng-index.h
+++ b/src/plugins/ctf/fs-src/lttng-index.h
@@ -25,11 +25,13 @@
 #ifndef LTTNG_INDEX_H
 #define LTTNG_INDEX_H
 
+#include <stddef.h>
 #include "compat/limits.h"
 
 #define CTF_INDEX_MAGIC 0xC1F1DCC1
 #define CTF_INDEX_MAJOR 1
 #define CTF_INDEX_MINOR 1
+#define CTF_INDEX_1_0_SIZE offsetof(struct ctf_packet_index, stream_instance_id)
 
 /*
  * Header at the beginning of each index file.