[PATCH dpdk 0/2] IPv6: Fix coverity issues

[PATCH dpdk 0/2] IPv6: Fix coverity issues

[Robin Jarry]

Hi all,

Here are fixes for three coverity issues:

/lib/net/rte_ip6.h: 91 in rte_ipv6_addr_mask()
*** CID 446754:  Memory - illegal accesses  (OVERRUN)
85     {
86             if (depth < RTE_IPV6_MAX_DEPTH) {
87                     uint8_t d = depth / 8;
88                     uint8_t mask = ~(UINT8_MAX >> (depth % 8));
89                     ip->a[d] &= mask;
90                     d++;
>>>     CID 446754:  Memory - illegal accesses  (OVERRUN)
>>>     Overrunning array of 16 bytes at byte offset 16 by dereferencing pointer
>>>     "&ip->a[d]".
91                     memset(&ip->a[d], 0, sizeof(*ip) - d);
92             }
93     }

/lib/net/rte_ip6.h: 114 in rte_ipv6_addr_eq_prefix()
*** CID 446756:  Memory - illegal accesses  (INTEGER_OVERFLOW)
108     rte_ipv6_addr_eq_prefix(const struct rte_ipv6_addr *a, const struct
                                rte_ipv6_addr *b, uint8_t depth)
109     {
110             if (depth < RTE_IPV6_MAX_DEPTH) {
111                     uint8_t d = depth / 8;
112                     uint8_t mask = ~(UINT8_MAX >> (depth % 8));
113
>>>     CID 446756:  Memory - illegal accesses  (INTEGER_OVERFLOW)
>>>     "d", which might have overflowed, is used in a pointer index in "a->a[d]".
114                     if ((a->a[d] ^ b->a[d]) & mask)
115                             return false;
116
117                     return memcmp(a, b, d) == 0;
118             }
119             return rte_ipv6_addr_eq(a, b);

/lib/net/rte_ip6.h: 89 in rte_ipv6_addr_mask()
*** CID 446758:  Memory - corruptions  (INTEGER_OVERFLOW)
83     static inline void
84     rte_ipv6_addr_mask(struct rte_ipv6_addr *ip, uint8_t depth)
85     {
86             if (depth < RTE_IPV6_MAX_DEPTH) {
87                     uint8_t d = depth / 8;
88                     uint8_t mask = ~(UINT8_MAX >> (depth % 8));
>>>     CID 446758:  Memory - corruptions  (INTEGER_OVERFLOW)
>>>     "d", which might have overflowed, is used in a pointer index in "ip->a[d]".
89                     ip->a[d] &= mask;
90                     d++;
91                     memset(&ip->a[d], 0, sizeof(*ip) - d);
92             }
93     }

Cheers.

Robin Jarry (2):
  net/ipv6: fix overflowed array index reads
  net/ipv6: fix out-of-bounds read

 lib/net/rte_ip6.h | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

-- 
2.47.0

[PATCH dpdk 1/2] net/ipv6: fix overflowed array index reads

[Robin Jarry]

Fix the following overflowed array index reads reported by Coverity:

107 static inline bool
108 rte_ipv6_addr_eq_prefix(const struct rte_ipv6_addr *a,
                            const struct rte_ipv6_addr *b, uint8_t depth)
109 {
        1. Condition depth < 128 /* 16 * 8 */, taking true branch.
110        if (depth < RTE_IPV6_MAX_DEPTH) {
        2. cast_overflow: Truncation due to cast operation on depth / 8
	                  from 32 to 8 bits.
        3. overflow_assign: d is assigned from depth / 8.
111                uint8_t d = depth / 8;
112                uint8_t mask = ~(UINT8_MAX >> (depth % 8));
113
        CID 446756: (#1 of 1): Overflowed array index read
        4. deref_overflow: d, which might have overflowed, is used in
	                   a pointer index in a->a[d].
114                if ((a->a[d] ^ b->a[d]) & mask)
115                        return false;
116
117                return memcmp(a, b, d) == 0;
118        }
119        return rte_ipv6_addr_eq(a, b);
120 }

The same issue has been reported both in rte_ipv6_addr_eq_prefix() and
rte_ipv6_addr_mask(). All arithmetic operations are made using regular
integers and then truncated on assign if necessary (or if explicitly
down cast to a smaller type). In this case, the result of (depth / 8) is
assumed to be on 32 bits and is implicitly down cast 8 bits. This is
causing a warning because it may result in unexpected behaviour.

Change the type of the d variables to unsigned int (32bit by default) to
avoid the overflow warning. Since depth is strictly lesser than
RTE_IPV6_MAX_DEPTH, d will always be lesser than RTE_IPV6_ADDR_SIZE.

Replace the magic 8 literals with CHAR_BIT to be consistent with the
definition of RTE_IPV6_MAX_DEPTH.

Coverity issue: 446756, 446758
Fixes: ca786def84ca ("net: add IPv6 address structure and utils")

Signed-off-by: Robin Jarry <rjarry@redhat.com>
---
 lib/net/rte_ip6.h | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/net/rte_ip6.h b/lib/net/rte_ip6.h
index 3ae38811b27c..c015c977573d 100644
--- a/lib/net/rte_ip6.h
+++ b/lib/net/rte_ip6.h
@@ -84,8 +84,8 @@ static inline void
 rte_ipv6_addr_mask(struct rte_ipv6_addr *ip, uint8_t depth)
 {
 	if (depth < RTE_IPV6_MAX_DEPTH) {
-		uint8_t d = depth / 8;
-		uint8_t mask = ~(UINT8_MAX >> (depth % 8));
+		unsigned int d = depth / CHAR_BIT;
+		uint8_t mask = ~(UINT8_MAX >> (depth % CHAR_BIT));
 		ip->a[d] &= mask;
 		d++;
 		memset(&ip->a[d], 0, sizeof(*ip) - d);
@@ -108,8 +108,8 @@ static inline bool
 rte_ipv6_addr_eq_prefix(const struct rte_ipv6_addr *a, const struct rte_ipv6_addr *b, uint8_t depth)
 {
 	if (depth < RTE_IPV6_MAX_DEPTH) {
-		uint8_t d = depth / 8;
-		uint8_t mask = ~(UINT8_MAX >> (depth % 8));
+		unsigned int d = depth / CHAR_BIT;
+		uint8_t mask = ~(UINT8_MAX >> (depth % CHAR_BIT));
 
 		if ((a->a[d] ^ b->a[d]) & mask)
 			return false;
-- 
2.47.0

[PATCH dpdk 2/2] net/ipv6: fix out-of-bounds read

[Robin Jarry]

Fix the following out-of-bounds read in rte_ipv6_addr_mask() reported by
Coverity:

83 static inline void
84 rte_ipv6_addr_mask(struct rte_ipv6_addr *ip, uint8_t depth)
85 {
       1. Condition depth < 128 /* 16 * 8 */, taking true branch.
       2. cond_at_most: Checking depth < 128 implies that depth may be
                        up to 127 on the true branch.
86        if (depth < RTE_IPV6_MAX_DEPTH) {
       3. assignment: Assigning: d = depth / 8.
                      The value of d may now be up to 15.
87                uint8_t d = depth / 8;
88                uint8_t mask = ~(UINT8_MAX >> (depth % 8));
89                ip->a[d] &= mask;
       4. incr: Incrementing d. The value of d may now be up to 16.
90                d++;
       CID 446754: (#1 of 1): Out-of-bounds read (OVERRUN)
       5. overrun-local: Overrunning array of 16 bytes at byte offset
                         16 by dereferencing pointer &ip->a[d].
91                memset(&ip->a[d], 0, sizeof(*ip) - d);
92        }
93 }

Use a simple loop instead of memset.

Coverity issue: 446754
Fixes: ca786def84ca ("net: add IPv6 address structure and utils")

Signed-off-by: Robin Jarry <rjarry@redhat.com>
---
 lib/net/rte_ip6.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/net/rte_ip6.h b/lib/net/rte_ip6.h
index c015c977573d..3843fb7c2fd6 100644
--- a/lib/net/rte_ip6.h
+++ b/lib/net/rte_ip6.h
@@ -88,7 +88,8 @@ rte_ipv6_addr_mask(struct rte_ipv6_addr *ip, uint8_t depth)
 		uint8_t mask = ~(UINT8_MAX >> (depth % CHAR_BIT));
 		ip->a[d] &= mask;
 		d++;
-		memset(&ip->a[d], 0, sizeof(*ip) - d);
+		while (d < sizeof(*ip))
+			ip->a[d++] = 0;
 	}
 }
 
-- 
2.47.0

RE: [PATCH dpdk 0/2] IPv6: Fix coverity issues

[Morten Brørup]

For the series,
Acked-by: Morten Brørup <mb@smartsharesystems.com>

BTW:
It's probably too late to change now, but the common term describing the number of set bits in an IP netmask is "prefix length", not "depth".
E.g. the subnet 192.0.2.0/24 has a prefix length (not depth) of 24.