DPDK patches and discussions
 help / color / mirror / Atom feed
From: Vladimir Medvedkin <vladimir.medvedkin@intel.com>
To: dev@dpdk.org
Cc: thomas@monjalon.net, vladimir.medvedkin@intel.com, stable@dpdk.org
Subject: [dpdk-dev] [PATCH v2] fib: fix possible integer overflow
Date: Tue, 21 Jan 2020 15:07:09 +0000	[thread overview]
Message-ID: <1579619229-75215-1-git-send-email-vladimir.medvedkin@intel.com> (raw)
In-Reply-To: <1579022312-396072-1-git-send-email-vladimir.medvedkin@intel.com>

This commit fixes possible integer overflow for
prev_idx in build_common_root() CID 350596
and
tbl8_idx in write_edge() CID 350597

Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)
overflow_before_widen: Potentially overflowing expression tbl8_idx * 256
with type int (32 bits, signed) is evaluated using 32-bit arithmetic,
and then used in a context that expects an expression of
type uint64_t (64 bits, unsigned).

Coverity issue: 350596, 350597
Fixes: c3e12e0f0354 ("fib: add dataplane algorithm for IPv6")
Cc: vladimir.medvedkin@intel.com
Cc: stable@dpdk.org

Signed-off-by: Vladimir Medvedkin <vladimir.medvedkin@intel.com>
---
 lib/librte_fib/trie.c | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/lib/librte_fib/trie.c b/lib/librte_fib/trie.c
index 124aa8b..2ae2add 100644
--- a/lib/librte_fib/trie.c
+++ b/lib/librte_fib/trie.c
@@ -240,9 +240,8 @@ tbl8_alloc(struct rte_trie_tbl *dp, uint64_t nh)
 	tbl8_idx = tbl8_get(dp);
 	if (tbl8_idx < 0)
 		return tbl8_idx;
-	tbl8_ptr = (uint8_t *)dp->tbl8 +
-		((tbl8_idx * TRIE_TBL8_GRP_NUM_ENT) <<
-		dp->nh_sz);
+	tbl8_ptr = get_tbl_p_by_idx(dp->tbl8,
+		tbl8_idx * TRIE_TBL8_GRP_NUM_ENT, dp->nh_sz);
 	/*Init tbl8 entries with nexthop from tbl24*/
 	write_to_dp((void *)tbl8_ptr, nh, dp->nh_sz,
 		TRIE_TBL8_GRP_NUM_ENT);
@@ -317,7 +316,7 @@ get_idx(const uint8_t *ip, uint32_t prev_idx, int bytes, int first_byte)
 		bitshift = (int8_t)(((first_byte + bytes - 1) - i)*BYTE_SIZE);
 		idx |= ip[i] <<  bitshift;
 	}
-	return (prev_idx * 256) + idx;
+	return (prev_idx * TRIE_TBL8_GRP_NUM_ENT) + idx;
 }
 
 static inline uint64_t
@@ -354,8 +353,8 @@ recycle_root_path(struct rte_trie_tbl *dp, const uint8_t *ip_part,
 		return;
 
 	if (common_tbl8 != 0) {
-		p = get_tbl_p_by_idx(dp->tbl8, (val >> 1) * 256 + *ip_part,
-			dp->nh_sz);
+		p = get_tbl_p_by_idx(dp->tbl8, (val >> 1) *
+			TRIE_TBL8_GRP_NUM_ENT + *ip_part, dp->nh_sz);
 		recycle_root_path(dp, ip_part + 1, common_tbl8 - 1, p);
 	}
 	tbl8_recycle(dp, prev, val >> 1);
@@ -388,7 +387,8 @@ build_common_root(struct rte_trie_tbl *dp, const uint8_t *ip,
 		j = i;
 		cur_tbl = dp->tbl8;
 	}
-	*tbl = get_tbl_p_by_idx(cur_tbl, prev_idx * 256, dp->nh_sz);
+	*tbl = get_tbl_p_by_idx(cur_tbl, prev_idx * TRIE_TBL8_GRP_NUM_ENT,
+		dp->nh_sz);
 	return 0;
 }
 
@@ -411,8 +411,8 @@ write_edge(struct rte_trie_tbl *dp, const uint8_t *ip_part, uint64_t next_hop,
 				return tbl8_idx;
 			val = (tbl8_idx << 1)|TRIE_EXT_ENT;
 		}
-		p = get_tbl_p_by_idx(dp->tbl8, (tbl8_idx * 256) + *ip_part,
-			dp->nh_sz);
+		p = get_tbl_p_by_idx(dp->tbl8, (tbl8_idx *
+			TRIE_TBL8_GRP_NUM_ENT) + *ip_part, dp->nh_sz);
 		ret = write_edge(dp, ip_part + 1, next_hop, len - 1, edge, p);
 		if (ret < 0)
 			return ret;
@@ -420,8 +420,8 @@ write_edge(struct rte_trie_tbl *dp, const uint8_t *ip_part, uint64_t next_hop,
 			write_to_dp((uint8_t *)p + (1 << dp->nh_sz),
 				next_hop << 1, dp->nh_sz, UINT8_MAX - *ip_part);
 		} else {
-			write_to_dp(get_tbl_p_by_idx(dp->tbl8, tbl8_idx * 256,
-				dp->nh_sz),
+			write_to_dp(get_tbl_p_by_idx(dp->tbl8, tbl8_idx *
+				TRIE_TBL8_GRP_NUM_ENT, dp->nh_sz),
 				next_hop << 1, dp->nh_sz, *ip_part);
 		}
 		tbl8_recycle(dp, &val, tbl8_idx);
-- 
2.7.4


  parent reply	other threads:[~2020-01-21 15:07 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-01-14 17:18 [dpdk-dev] [PATCH] " Vladimir Medvedkin
2020-01-20  0:31 ` [dpdk-dev] [dpdk-stable] " Thomas Monjalon
2020-01-21 15:07 ` Vladimir Medvedkin [this message]
2020-02-06 15:15   ` [dpdk-dev] [dpdk-stable] [PATCH v2] " Thomas Monjalon

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1579619229-75215-1-git-send-email-vladimir.medvedkin@intel.com \
    --to=vladimir.medvedkin@intel.com \
    --cc=dev@dpdk.org \
    --cc=stable@dpdk.org \
    --cc=thomas@monjalon.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).