commit cd4ee5fcb429390151be0bcd339567b32ee49694
author Steve DiBenedetto <dibenede@cs.colostate.edu> Mon Dec 08 16:09:11 2014 -0700
committer Steve DiBenedetto <dibenede@cs.colostate.edu> Tue Dec 09 00:12:43 2014 -0700
tree 972dd6274b3910da3b278b0150a7398ea6c0e85c
parent ac7b437cdbbdc59ae6c0ccce2dea53727e5f0e4b

mgmt,rib: check command length before accessing verb

refs: #2151

Change-Id: I0e67fd4b4df10d842648797ed42771af7c53a938

daemon/mgmt/face-manager.cpp

diff --git a/daemon/mgmt/face-manager.cpp b/daemon/mgmt/face-manager.cpp
index c88329c..03e2f42 100644
--- a/daemon/mgmt/face-manager.cpp
+++ b/daemon/mgmt/face-manager.cpp
@@ -844,10 +844,18 @@
 {
   const Name& command = request.getName();
   const size_t commandNComps = command.size();
-  const Name::Component& verb = command.get(COMMAND_PREFIX.size());
 
-  UnsignedVerbDispatchTable::const_iterator unsignedVerbProcessor =
-    m_unsignedVerbDispatch.find(verb);
+  if (commandNComps <= COMMAND_PREFIX.size())
+    {
+      // command is too short to have a verb
+      NFD_LOG_DEBUG("command result: malformed");
+      sendResponse(command, 400, "Malformed command");
+      return;
+    }
+
+  const Name::Component& verb = command.at(COMMAND_PREFIX.size());
+
+  const auto unsignedVerbProcessor = m_unsignedVerbDispatch.find(verb);
   if (unsignedVerbProcessor != m_unsignedVerbDispatch.end())
     {
       NFD_LOG_DEBUG("command result: processing verb: " << verb);

daemon/mgmt/fib-manager.cpp

diff --git a/daemon/mgmt/fib-manager.cpp b/daemon/mgmt/fib-manager.cpp
index 5c91547..3db26e7 100644
--- a/daemon/mgmt/fib-manager.cpp
+++ b/daemon/mgmt/fib-manager.cpp
@@ -104,9 +104,18 @@
 {
   const Name& command = request.getName();
   const size_t commandNComps = command.size();
-  const Name::Component& verb = command.get(COMMAND_PREFIX.size());
 
-  UnsignedVerbDispatchTable::const_iterator unsignedVerbProcessor = m_unsignedVerbDispatch.find(verb);
+  if (commandNComps <= COMMAND_PREFIX.size())
+    {
+      // command is too short to have a verb
+      NFD_LOG_DEBUG("command result: malformed");
+      sendResponse(command, 400, "Malformed command");
+      return;
+    }
+
+  const Name::Component& verb = command.at(COMMAND_PREFIX.size());
+
+  const auto unsignedVerbProcessor = m_unsignedVerbDispatch.find(verb);
   if (unsignedVerbProcessor != m_unsignedVerbDispatch.end())
     {
       NFD_LOG_DEBUG("command result: processing verb: " << verb);

daemon/mgmt/strategy-choice-manager.cpp

diff --git a/daemon/mgmt/strategy-choice-manager.cpp b/daemon/mgmt/strategy-choice-manager.cpp
index e93353b..4f2728c 100644
--- a/daemon/mgmt/strategy-choice-manager.cpp
+++ b/daemon/mgmt/strategy-choice-manager.cpp
@@ -72,6 +72,13 @@
       listStrategies(request);
       return;
     }
+  else if (commandNComps <= COMMAND_PREFIX.size())
+    {
+      // command is too short to have a verb
+      NFD_LOG_DEBUG("command result: malformed");
+      sendResponse(command, 400, "Malformed command");
+      return;
+    }
 
   if (COMMAND_UNSIGNED_NCOMPS <= commandNComps &&
       commandNComps < COMMAND_SIGNED_NCOMPS)
@@ -116,7 +123,7 @@
       return;
     }
 
-  const Name::Component& verb = command[COMMAND_PREFIX.size()];
+  const Name::Component& verb = command.at(COMMAND_PREFIX.size());
   ControlResponse response;
   if (verb == VERB_SET)
     {