Fix read overflow

[Marti2203]

Fixes the following issue detected by OSS-Fuzz:

• https://issues.oss-fuzz.com/issues/390004170

This fix was generated by CodeRover-S, an LLM agent for fixing security vulnerabilities. More details can be found at:

• https://arxiv.org/pdf/2411.03346
• https://github.com/AutoCodeRoverSG/auto-code-rover

[codecov]

Codecov Report

Attention: Patch coverage is 46.66667% with 8 lines in your changes missing coverage. Please review.

Project coverage is 82.98%. Comparing base (d4bfc6a) to head (3d45189).

Files with missing lines	Patch %	Lines
Packet++/src/BgpLayer.cpp	50.00%	4 Missing and 2 partials ⚠️
Packet++/src/RawPacket.cpp	33.33%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##              dev    #1812      +/-   ##
==========================================
+ Coverage   82.97%   82.98%   +0.01%     
==========================================
  Files         285      285              
  Lines       48968    49023      +55     
  Branches    10346    10586     +240     
==========================================
+ Hits        40630    40682      +52     
- Misses       7177     7189      +12     
+ Partials     1161     1152       -9     

Flag	Coverage Δ
alpine320	75.07% <12.50%> (-0.03%)	⬇️
fedora42	75.17% <12.50%> (?)
macos-13	80.51% <27.27%> (-0.01%)	⬇️
macos-14	80.51% <27.27%> (-0.01%)	⬇️
macos-15	80.49% <27.27%> (-0.01%)	⬇️
mingw32	71.31% <12.50%> (-0.05%)	⬇️
mingw64	71.30% <12.50%> (-0.07%)	⬇️
npcap	84.96% <33.33%> (-0.04%)	⬇️
rhel94	74.94% <11.11%> (-0.02%)	⬇️
ubuntu2004	58.66% <22.22%> (-0.01%)	⬇️
ubuntu2004-zstd	58.75% <22.22%> (-0.04%)	⬇️
ubuntu2204	74.88% <11.11%> (?)
ubuntu2204-icpx	61.47% <18.18%> (-0.06%)	⬇️
ubuntu2404	75.13% <12.50%> (-0.01%)	⬇️
ubuntu2404-arm64	75.11% <12.50%> (-0.03%)	⬇️
unittest	82.98% <46.66%> (+0.01%)	⬆️
windows-2019	84.99% <45.45%> (+<0.01%)	⬆️
windows-2022	85.00% <33.33%> (-0.03%)	⬇️
winpcap	85.14% <45.45%> (-0.02%)	⬇️
xdp	50.54% <11.11%> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Dimi1010]

Can we throw a std::length_error instead of just returning with a error message? The error message will not indicate the error condition to the caller.

[seladb]

Will throwing an exception prevent the application from crashing? 🤔

This method was called in BgpLayer so we should probably think how to prevent it from being called with malformed data

[Dimi1010]

You want a crash if overflow happens. Or at least you want an exception thrown to indicate the failure of the operation, and if the caller doesn't handle it up the call stack, then to crash. It isn't really possible to recover from the situation as the system has reached the limit of how much data can be stored inside a packet.

Silently continuing with just an error message in the log is worse as the program will assume the operation went fine and produce corrupted data down the line. This is exactly the type of improbable situation the exception mechanism was made to handle.

[seladb]

I totally agree, however I don't think throwing an exception will resolve the OSS-Fuzz issue. We should probably throw an exception and fix the issue that caused it in BgpLayer

[Marti2203]

Hi, just to confirm - I will update the patch to throw an std::length_error . Would that be accepted by both of you? @Dimi1010 @seladb

[Dimi1010]

@seladb @Marti2203

Generally, I find exceptions are fine as long as they aren't used to dictate common control flow. The current mainstream compilers use an architecture that has a "zero cost" try-catch blocks if the exception isn't thrown. The tradeoff is a significant overhead if an exception is thrown, so you only want them thrown for rare events.

The current usage seems ok to me? How often are overflows expected to happen?

[seladb]

In most cases, I wouldn't expect an exception to be thrown, however:

• In applications that use PcapPlusPlus with an arbitrary payload (either to test malformed packet handling or because they generate a random payload), an exception can be thrown and we would like to avoid the cost of it
• Most (or all?) of our critical path code doesn't catch exceptions and try to handle edge cases so they don't end up with exceptions. I think we should do the same here for consistency

[Marti2203]

Hi, I have been working on other things and have been checking out this PR again. I agree with sela's points and will prepare a patch after a confirmation from your side -

• NO exception will be thrown in RawPacket, only it is logged and an error is returned. This is to ensure new clients of the code do not lead to a crash and code stylistically aligns with the rest.
• Separately, will add a check for the error in the BGPLayer as it is the only client in the project that uses it.

[seladb]

I think we can still throw an error in insertData() but I would avoid try..catch in BgpLayer and instead check the sizes before calling extendLayer(). @Marti2203 let me know what you think

[Marti2203]

Sounds good. I will also cover the nitpick and send it tonight :)

[seladb]

nit: maybe use static_cast instead of C-style casting?

[seladb]

I think we can still throw an error in insertData() but I would avoid try..catch in BgpLayer and instead check the sizes before calling extendLayer(). @Marti2203 let me know what you think

[Marti2203]

Pushed an update. Feedback is appreciated!

[seladb]

Pushed an update. Feedback is appreciated!

@Marti2203 CI fails, can you please take a look?