From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 94DDCA0C43 for ; Thu, 21 Oct 2021 19:16:05 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 896174003E; Thu, 21 Oct 2021 19:16:05 +0200 (CEST) Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) by mails.dpdk.org (Postfix) with ESMTP id 84EAB4003E; Thu, 21 Oct 2021 19:16:03 +0200 (CEST) X-IronPort-AV: E=McAfee;i="6200,9189,10144"; a="227864822" X-IronPort-AV: E=Sophos;i="5.87,170,1631602800"; d="scan'208";a="227864822" Received: from orsmga004.jf.intel.com ([10.7.209.38]) by fmsmga104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Oct 2021 10:15:53 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.87,170,1631602800"; d="scan'208";a="595182306" Received: from silpixa00400072.ir.intel.com ([10.237.222.213]) by orsmga004.jf.intel.com with ESMTP; 21 Oct 2021 10:15:51 -0700 From: Vladimir Medvedkin To: dev@dpdk.org Cc: bruce.richardson@intel.com, david.marchand@redhat.com, alex@therouter.net, stable@dpdk.org Date: Thu, 21 Oct 2021 18:15:49 +0100 Message-Id: <1634836549-10800-1-git-send-email-vladimir.medvedkin@intel.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1633728537-197824-1-git-send-email-vladimir.medvedkin@intel.com> References: <1633728537-197824-1-git-send-email-vladimir.medvedkin@intel.com> Subject: [dpdk-stable] [PATCH v2] lpm: fix buffer overflow X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Sender: "stable" This patch fixes buffer overflow reported by ASAN, please reference https://bugs.dpdk.org/show_bug.cgi?id=819 The rte_lpm6 keeps routing information for control plane purpose inside the rte_hash table which uses rte_jhash() as a hash function. >From the rte_jhash() documentation: If input key is not aligned to four byte boundaries or a multiple of four bytes in length, the memory region just after may be read (but not used in the computation). rte_lpm6 uses 17 bytes keys consisting of IPv6 address (16 bytes) + depth (1 byte). This patch increases the size of the depth field up to uint32_t and sets the alignment to 4 bytes. Bugzilla ID: 819 Fixes: 86b3b21952a8 ("lpm6: store rules in hash table") Cc: alex@therouter.net Cc: stable@dpdk.org Signed-off-by: Vladimir Medvedkin --- lib/lpm/rte_lpm6.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/lpm/rte_lpm6.c b/lib/lpm/rte_lpm6.c index 37baabb..73768fc 100644 --- a/lib/lpm/rte_lpm6.c +++ b/lib/lpm/rte_lpm6.c @@ -80,7 +80,7 @@ struct rte_lpm6_rule { /** Rules tbl entry key. */ struct rte_lpm6_rule_key { uint8_t ip[RTE_LPM6_IPV6_ADDR_SIZE]; /**< Rule IP address. */ - uint8_t depth; /**< Rule depth. */ + uint32_t depth; /**< Rule depth. */ }; /* Header of tbl8 */ @@ -259,6 +259,8 @@ rte_lpm6_create(const char *name, int socket_id, lpm_list = RTE_TAILQ_CAST(rte_lpm6_tailq.head, rte_lpm6_list); RTE_BUILD_BUG_ON(sizeof(struct rte_lpm6_tbl_entry) != sizeof(uint32_t)); + RTE_BUILD_BUG_ON(sizeof(struct rte_lpm6_rule_key) % + sizeof(uint32_t) != 0); /* Check user arguments. */ if ((name == NULL) || (socket_id < -1) || (config == NULL) || -- 2.7.4