From: Robin Jarry <rjarry@redhat.com>
To: dev@dpdk.org
Subject: [PATCH dpdk 1/2] net/ipv6: fix overflowed array index reads
Date: Thu, 24 Oct 2024 17:19:21 +0200 [thread overview]
Message-ID: <20241024151919.400878-5-rjarry@redhat.com> (raw)
In-Reply-To: <20241024151919.400878-4-rjarry@redhat.com>
Fix the following overflowed array index reads reported by Coverity:
107 static inline bool
108 rte_ipv6_addr_eq_prefix(const struct rte_ipv6_addr *a,
const struct rte_ipv6_addr *b, uint8_t depth)
109 {
1. Condition depth < 128 /* 16 * 8 */, taking true branch.
110 if (depth < RTE_IPV6_MAX_DEPTH) {
2. cast_overflow: Truncation due to cast operation on depth / 8
from 32 to 8 bits.
3. overflow_assign: d is assigned from depth / 8.
111 uint8_t d = depth / 8;
112 uint8_t mask = ~(UINT8_MAX >> (depth % 8));
113
CID 446756: (#1 of 1): Overflowed array index read
4. deref_overflow: d, which might have overflowed, is used in
a pointer index in a->a[d].
114 if ((a->a[d] ^ b->a[d]) & mask)
115 return false;
116
117 return memcmp(a, b, d) == 0;
118 }
119 return rte_ipv6_addr_eq(a, b);
120 }
The same issue has been reported both in rte_ipv6_addr_eq_prefix() and
rte_ipv6_addr_mask(). All arithmetic operations are made using regular
integers and then truncated on assign if necessary (or if explicitly
down cast to a smaller type). In this case, the result of (depth / 8) is
assumed to be on 32 bits and is implicitly down cast 8 bits. This is
causing a warning because it may result in unexpected behaviour.
Change the type of the d variables to unsigned int (32bit by default) to
avoid the overflow warning. Since depth is strictly lesser than
RTE_IPV6_MAX_DEPTH, d will always be lesser than RTE_IPV6_ADDR_SIZE.
Replace the magic 8 literals with CHAR_BIT to be consistent with the
definition of RTE_IPV6_MAX_DEPTH.
Coverity issue: 446756, 446758
Fixes: ca786def84ca ("net: add IPv6 address structure and utils")
Signed-off-by: Robin Jarry <rjarry@redhat.com>
---
lib/net/rte_ip6.h | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/lib/net/rte_ip6.h b/lib/net/rte_ip6.h
index 3ae38811b27c..c015c977573d 100644
--- a/lib/net/rte_ip6.h
+++ b/lib/net/rte_ip6.h
@@ -84,8 +84,8 @@ static inline void
rte_ipv6_addr_mask(struct rte_ipv6_addr *ip, uint8_t depth)
{
if (depth < RTE_IPV6_MAX_DEPTH) {
- uint8_t d = depth / 8;
- uint8_t mask = ~(UINT8_MAX >> (depth % 8));
+ unsigned int d = depth / CHAR_BIT;
+ uint8_t mask = ~(UINT8_MAX >> (depth % CHAR_BIT));
ip->a[d] &= mask;
d++;
memset(&ip->a[d], 0, sizeof(*ip) - d);
@@ -108,8 +108,8 @@ static inline bool
rte_ipv6_addr_eq_prefix(const struct rte_ipv6_addr *a, const struct rte_ipv6_addr *b, uint8_t depth)
{
if (depth < RTE_IPV6_MAX_DEPTH) {
- uint8_t d = depth / 8;
- uint8_t mask = ~(UINT8_MAX >> (depth % 8));
+ unsigned int d = depth / CHAR_BIT;
+ uint8_t mask = ~(UINT8_MAX >> (depth % CHAR_BIT));
if ((a->a[d] ^ b->a[d]) & mask)
return false;
--
2.47.0
next prev parent reply other threads:[~2024-10-24 15:19 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-24 15:19 [PATCH dpdk 0/2] IPv6: Fix coverity issues Robin Jarry
2024-10-24 15:19 ` Robin Jarry [this message]
2024-10-24 15:19 ` [PATCH dpdk 2/2] net/ipv6: fix out-of-bounds read Robin Jarry
2024-10-24 15:37 ` [PATCH dpdk 0/2] IPv6: Fix coverity issues Morten Brørup
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241024151919.400878-5-rjarry@redhat.com \
--to=rjarry@redhat.com \
--cc=dev@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).