DPDK patches and discussions
 help / color / mirror / Atom feed
* [dpdk-dev] [PATCH] fib: fix possible integer overflow
@ 2020-01-14 17:18 Vladimir Medvedkin
  2020-01-20  0:31 ` [dpdk-dev] [dpdk-stable] " Thomas Monjalon
  2020-01-21 15:07 ` [dpdk-dev] [PATCH v2] " Vladimir Medvedkin
  0 siblings, 2 replies; 4+ messages in thread
From: Vladimir Medvedkin @ 2020-01-14 17:18 UTC (permalink / raw)
  To: dev; +Cc: vladimir.medvedkin, stable

Coverity issue: 350596
Coverity issue: 350597

Fixes: c3e12e0f0354 ("fib: add dataplane algorithm for IPv6")
Cc: vladimir.medvedkin@intel.com
Cc: stable@dpdk.org

Signed-off-by: Vladimir Medvedkin <vladimir.medvedkin@intel.com>
---
 lib/librte_fib/trie.c | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/lib/librte_fib/trie.c b/lib/librte_fib/trie.c
index 124aa8b..2ae2add 100644
--- a/lib/librte_fib/trie.c
+++ b/lib/librte_fib/trie.c
@@ -240,9 +240,8 @@ tbl8_alloc(struct rte_trie_tbl *dp, uint64_t nh)
 	tbl8_idx = tbl8_get(dp);
 	if (tbl8_idx < 0)
 		return tbl8_idx;
-	tbl8_ptr = (uint8_t *)dp->tbl8 +
-		((tbl8_idx * TRIE_TBL8_GRP_NUM_ENT) <<
-		dp->nh_sz);
+	tbl8_ptr = get_tbl_p_by_idx(dp->tbl8,
+		tbl8_idx * TRIE_TBL8_GRP_NUM_ENT, dp->nh_sz);
 	/*Init tbl8 entries with nexthop from tbl24*/
 	write_to_dp((void *)tbl8_ptr, nh, dp->nh_sz,
 		TRIE_TBL8_GRP_NUM_ENT);
@@ -317,7 +316,7 @@ get_idx(const uint8_t *ip, uint32_t prev_idx, int bytes, int first_byte)
 		bitshift = (int8_t)(((first_byte + bytes - 1) - i)*BYTE_SIZE);
 		idx |= ip[i] <<  bitshift;
 	}
-	return (prev_idx * 256) + idx;
+	return (prev_idx * TRIE_TBL8_GRP_NUM_ENT) + idx;
 }
 
 static inline uint64_t
@@ -354,8 +353,8 @@ recycle_root_path(struct rte_trie_tbl *dp, const uint8_t *ip_part,
 		return;
 
 	if (common_tbl8 != 0) {
-		p = get_tbl_p_by_idx(dp->tbl8, (val >> 1) * 256 + *ip_part,
-			dp->nh_sz);
+		p = get_tbl_p_by_idx(dp->tbl8, (val >> 1) *
+			TRIE_TBL8_GRP_NUM_ENT + *ip_part, dp->nh_sz);
 		recycle_root_path(dp, ip_part + 1, common_tbl8 - 1, p);
 	}
 	tbl8_recycle(dp, prev, val >> 1);
@@ -388,7 +387,8 @@ build_common_root(struct rte_trie_tbl *dp, const uint8_t *ip,
 		j = i;
 		cur_tbl = dp->tbl8;
 	}
-	*tbl = get_tbl_p_by_idx(cur_tbl, prev_idx * 256, dp->nh_sz);
+	*tbl = get_tbl_p_by_idx(cur_tbl, prev_idx * TRIE_TBL8_GRP_NUM_ENT,
+		dp->nh_sz);
 	return 0;
 }
 
@@ -411,8 +411,8 @@ write_edge(struct rte_trie_tbl *dp, const uint8_t *ip_part, uint64_t next_hop,
 				return tbl8_idx;
 			val = (tbl8_idx << 1)|TRIE_EXT_ENT;
 		}
-		p = get_tbl_p_by_idx(dp->tbl8, (tbl8_idx * 256) + *ip_part,
-			dp->nh_sz);
+		p = get_tbl_p_by_idx(dp->tbl8, (tbl8_idx *
+			TRIE_TBL8_GRP_NUM_ENT) + *ip_part, dp->nh_sz);
 		ret = write_edge(dp, ip_part + 1, next_hop, len - 1, edge, p);
 		if (ret < 0)
 			return ret;
@@ -420,8 +420,8 @@ write_edge(struct rte_trie_tbl *dp, const uint8_t *ip_part, uint64_t next_hop,
 			write_to_dp((uint8_t *)p + (1 << dp->nh_sz),
 				next_hop << 1, dp->nh_sz, UINT8_MAX - *ip_part);
 		} else {
-			write_to_dp(get_tbl_p_by_idx(dp->tbl8, tbl8_idx * 256,
-				dp->nh_sz),
+			write_to_dp(get_tbl_p_by_idx(dp->tbl8, tbl8_idx *
+				TRIE_TBL8_GRP_NUM_ENT, dp->nh_sz),
 				next_hop << 1, dp->nh_sz, *ip_part);
 		}
 		tbl8_recycle(dp, &val, tbl8_idx);
-- 
2.7.4


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [dpdk-dev] [dpdk-stable] [PATCH] fib: fix possible integer overflow
  2020-01-14 17:18 [dpdk-dev] [PATCH] fib: fix possible integer overflow Vladimir Medvedkin
@ 2020-01-20  0:31 ` Thomas Monjalon
  2020-01-21 15:07 ` [dpdk-dev] [PATCH v2] " Vladimir Medvedkin
  1 sibling, 0 replies; 4+ messages in thread
From: Thomas Monjalon @ 2020-01-20  0:31 UTC (permalink / raw)
  To: Vladimir Medvedkin; +Cc: dev, stable

14/01/2020 18:18, Vladimir Medvedkin:
> Coverity issue: 350596
> Coverity issue: 350597

You can merge both IDs on one line, and remove the blank line after.

> 
> Fixes: c3e12e0f0354 ("fib: add dataplane algorithm for IPv6")
> Cc: vladimir.medvedkin@intel.com
> Cc: stable@dpdk.org
> 
> Signed-off-by: Vladimir Medvedkin <vladimir.medvedkin@intel.com>

Please could you add an explanation?
Thanks



^ permalink raw reply	[flat|nested] 4+ messages in thread

* [dpdk-dev] [PATCH v2] fib: fix possible integer overflow
  2020-01-14 17:18 [dpdk-dev] [PATCH] fib: fix possible integer overflow Vladimir Medvedkin
  2020-01-20  0:31 ` [dpdk-dev] [dpdk-stable] " Thomas Monjalon
@ 2020-01-21 15:07 ` Vladimir Medvedkin
  2020-02-06 15:15   ` [dpdk-dev] [dpdk-stable] " Thomas Monjalon
  1 sibling, 1 reply; 4+ messages in thread
From: Vladimir Medvedkin @ 2020-01-21 15:07 UTC (permalink / raw)
  To: dev; +Cc: thomas, vladimir.medvedkin, stable

This commit fixes possible integer overflow for
prev_idx in build_common_root() CID 350596
and
tbl8_idx in write_edge() CID 350597

Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)
overflow_before_widen: Potentially overflowing expression tbl8_idx * 256
with type int (32 bits, signed) is evaluated using 32-bit arithmetic,
and then used in a context that expects an expression of
type uint64_t (64 bits, unsigned).

Coverity issue: 350596, 350597
Fixes: c3e12e0f0354 ("fib: add dataplane algorithm for IPv6")
Cc: vladimir.medvedkin@intel.com
Cc: stable@dpdk.org

Signed-off-by: Vladimir Medvedkin <vladimir.medvedkin@intel.com>
---
 lib/librte_fib/trie.c | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/lib/librte_fib/trie.c b/lib/librte_fib/trie.c
index 124aa8b..2ae2add 100644
--- a/lib/librte_fib/trie.c
+++ b/lib/librte_fib/trie.c
@@ -240,9 +240,8 @@ tbl8_alloc(struct rte_trie_tbl *dp, uint64_t nh)
 	tbl8_idx = tbl8_get(dp);
 	if (tbl8_idx < 0)
 		return tbl8_idx;
-	tbl8_ptr = (uint8_t *)dp->tbl8 +
-		((tbl8_idx * TRIE_TBL8_GRP_NUM_ENT) <<
-		dp->nh_sz);
+	tbl8_ptr = get_tbl_p_by_idx(dp->tbl8,
+		tbl8_idx * TRIE_TBL8_GRP_NUM_ENT, dp->nh_sz);
 	/*Init tbl8 entries with nexthop from tbl24*/
 	write_to_dp((void *)tbl8_ptr, nh, dp->nh_sz,
 		TRIE_TBL8_GRP_NUM_ENT);
@@ -317,7 +316,7 @@ get_idx(const uint8_t *ip, uint32_t prev_idx, int bytes, int first_byte)
 		bitshift = (int8_t)(((first_byte + bytes - 1) - i)*BYTE_SIZE);
 		idx |= ip[i] <<  bitshift;
 	}
-	return (prev_idx * 256) + idx;
+	return (prev_idx * TRIE_TBL8_GRP_NUM_ENT) + idx;
 }
 
 static inline uint64_t
@@ -354,8 +353,8 @@ recycle_root_path(struct rte_trie_tbl *dp, const uint8_t *ip_part,
 		return;
 
 	if (common_tbl8 != 0) {
-		p = get_tbl_p_by_idx(dp->tbl8, (val >> 1) * 256 + *ip_part,
-			dp->nh_sz);
+		p = get_tbl_p_by_idx(dp->tbl8, (val >> 1) *
+			TRIE_TBL8_GRP_NUM_ENT + *ip_part, dp->nh_sz);
 		recycle_root_path(dp, ip_part + 1, common_tbl8 - 1, p);
 	}
 	tbl8_recycle(dp, prev, val >> 1);
@@ -388,7 +387,8 @@ build_common_root(struct rte_trie_tbl *dp, const uint8_t *ip,
 		j = i;
 		cur_tbl = dp->tbl8;
 	}
-	*tbl = get_tbl_p_by_idx(cur_tbl, prev_idx * 256, dp->nh_sz);
+	*tbl = get_tbl_p_by_idx(cur_tbl, prev_idx * TRIE_TBL8_GRP_NUM_ENT,
+		dp->nh_sz);
 	return 0;
 }
 
@@ -411,8 +411,8 @@ write_edge(struct rte_trie_tbl *dp, const uint8_t *ip_part, uint64_t next_hop,
 				return tbl8_idx;
 			val = (tbl8_idx << 1)|TRIE_EXT_ENT;
 		}
-		p = get_tbl_p_by_idx(dp->tbl8, (tbl8_idx * 256) + *ip_part,
-			dp->nh_sz);
+		p = get_tbl_p_by_idx(dp->tbl8, (tbl8_idx *
+			TRIE_TBL8_GRP_NUM_ENT) + *ip_part, dp->nh_sz);
 		ret = write_edge(dp, ip_part + 1, next_hop, len - 1, edge, p);
 		if (ret < 0)
 			return ret;
@@ -420,8 +420,8 @@ write_edge(struct rte_trie_tbl *dp, const uint8_t *ip_part, uint64_t next_hop,
 			write_to_dp((uint8_t *)p + (1 << dp->nh_sz),
 				next_hop << 1, dp->nh_sz, UINT8_MAX - *ip_part);
 		} else {
-			write_to_dp(get_tbl_p_by_idx(dp->tbl8, tbl8_idx * 256,
-				dp->nh_sz),
+			write_to_dp(get_tbl_p_by_idx(dp->tbl8, tbl8_idx *
+				TRIE_TBL8_GRP_NUM_ENT, dp->nh_sz),
 				next_hop << 1, dp->nh_sz, *ip_part);
 		}
 		tbl8_recycle(dp, &val, tbl8_idx);
-- 
2.7.4


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [dpdk-dev] [dpdk-stable] [PATCH v2] fib: fix possible integer overflow
  2020-01-21 15:07 ` [dpdk-dev] [PATCH v2] " Vladimir Medvedkin
@ 2020-02-06 15:15   ` Thomas Monjalon
  0 siblings, 0 replies; 4+ messages in thread
From: Thomas Monjalon @ 2020-02-06 15:15 UTC (permalink / raw)
  To: Vladimir Medvedkin; +Cc: dev, stable

21/01/2020 16:07, Vladimir Medvedkin:
> This commit fixes possible integer overflow for
> prev_idx in build_common_root() CID 350596
> and
> tbl8_idx in write_edge() CID 350597
> 
> Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)
> overflow_before_widen: Potentially overflowing expression tbl8_idx * 256
> with type int (32 bits, signed) is evaluated using 32-bit arithmetic,
> and then used in a context that expects an expression of
> type uint64_t (64 bits, unsigned).
> 
> Coverity issue: 350596, 350597
> Fixes: c3e12e0f0354 ("fib: add dataplane algorithm for IPv6")
> Cc: vladimir.medvedkin@intel.com
> Cc: stable@dpdk.org
> 
> Signed-off-by: Vladimir Medvedkin <vladimir.medvedkin@intel.com>

Applied, thanks




^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2020-02-06 15:15 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-01-14 17:18 [dpdk-dev] [PATCH] fib: fix possible integer overflow Vladimir Medvedkin
2020-01-20  0:31 ` [dpdk-dev] [dpdk-stable] " Thomas Monjalon
2020-01-21 15:07 ` [dpdk-dev] [PATCH v2] " Vladimir Medvedkin
2020-02-06 15:15   ` [dpdk-dev] [dpdk-stable] " Thomas Monjalon

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).