From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 81451A0C41 for ; Wed, 23 Jun 2021 17:17:34 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 5EABA4003E; Wed, 23 Jun 2021 17:17:34 +0200 (CEST) Received: from mail-ot1-f99.google.com (mail-ot1-f99.google.com [209.85.210.99]) by mails.dpdk.org (Postfix) with ESMTP id 7FBAB4003E for ; Wed, 23 Jun 2021 17:17:33 +0200 (CEST) Received: by mail-ot1-f99.google.com with SMTP id n99-20020a9d206c0000b029045d4f996e62so2285281ota.4 for ; Wed, 23 Jun 2021 08:17:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iol.unh.edu; s=unh-iol; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=alF1gt8BCNesvoTNZomHSxylOaMdkgYvTCWlhtaKopw=; b=e82XnKZOC0WBtbm2MKlrq8jubPs2C0n1YM7iNApHxAoUJsU1SaA0+zENOFPE8nJtOz mnKRtRJYdxh4cXl26dAl9XafqILVa7cl4ff7Ho4qa+OOEr4GCU+dVQtrq+Dx5heKGveI +E2QBkCrE5t4fbhh4sTkcVBOc15xzNZaFQUf0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=alF1gt8BCNesvoTNZomHSxylOaMdkgYvTCWlhtaKopw=; b=C7DjnLtLZ0cZjgzYChWezE3o+WXmPAwUwSA34HbI2pa7nLyd8BnixmAKSpuxviiV/E Il6aJSkof7iw4cMLeykZhxcbFJb8vDojQWiOYys6wwQaj52A2+4XmeLdyrHz06teuheN AvQ+y5VVc5R7NkLuXrbzU3V+szb4/UBbB0n3QUYKH6nlul+WosiKawQfP1eZyfXEKls7 9WE9GaQ5FjVT4beoiJ3He5Fm7GHQRf2OmKe4GEXHyibhxEImQFwZNVWnXqhgWVRFEf1G /15FuyOmo00wOlnx7RJbvpG0/1WprBcQMuij2NNu7ziuOeYcju1+VcTWdckFIxVW6XeL fJDQ== X-Gm-Message-State: AOAM533hHaBV3/29fPYI74GKJI6b6jDLD4Ym1pofRgJkZs1sQo5xh8U2 3QvUUj6T0WOmmu7c9hmH3TWw75d/oBKHWpWuZsAOLg6G8zgHew== X-Google-Smtp-Source: ABdhPJylWcr2HJuOVfqyN8drT95gvqwpK+mZwzB5vEDENFaMfi7WVM6GJkSsvwuTIAEVJ22hKUvTvPkxb49y X-Received: by 2002:a05:6830:314b:: with SMTP id c11mr357208ots.358.1624461452851; Wed, 23 Jun 2021 08:17:32 -0700 (PDT) Received: from postal.iol.unh.edu (postal.iol.unh.edu. [132.177.123.84]) by smtp-relay.gmail.com with ESMTPS id e22sm85212oop.4.2021.06.23.08.17.32 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 23 Jun 2021 08:17:32 -0700 (PDT) X-Relaying-Domain: iol.unh.edu Received: from iol.unh.edu (unknown [IPv6:2606:4100:3880:1220:47d3:d45d:6a1c:8da0]) by postal.iol.unh.edu (Postfix) with ESMTP id 5E20B6052490; Wed, 23 Jun 2021 11:17:32 -0400 (EDT) From: ohilyard@iol.unh.edu To: vladimir.medvedkin@intel.com Cc: dev@dpdk.org, stable@dpdk.org, stephen@networkplumber.org, david.marchand@redhat.com, Owen Hilyard Date: Wed, 23 Jun 2021 11:17:29 -0400 Message-Id: <20210623151730.35276-1-ohilyard@iol.unh.edu> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210621132834.21673-1-ohilyard@iol.unh.edu> References: <20210621132834.21673-1-ohilyard@iol.unh.edu> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [dpdk-stable] [PATCH v4] rib: fix max depth IPv6 lookup X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Sender: "stable" From: Owen Hilyard ASAN found a stack buffer overflow in lib/rib/rte_rib6.c:get_dir. The fix for the stack buffer overflow was to make sure depth was always < 128, since when depth = 128 it caused the index into the ip address to be 16, which read off the end of the array. While trying to solve the buffer overflow, I noticed that a few changes could be made to remove the for loop entirely. Fixes: f7e861e21c ("rib: support IPv6") Signed-off-by: Owen Hilyard --- lib/rib/rte_rib6.c | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/lib/rib/rte_rib6.c b/lib/rib/rte_rib6.c index f6c55ee45..96424e9c9 100644 --- a/lib/rib/rte_rib6.c +++ b/lib/rib/rte_rib6.c @@ -79,20 +79,33 @@ is_covered(const uint8_t ip1[RTE_RIB6_IPV6_ADDR_SIZE], static inline int get_dir(const uint8_t ip[RTE_RIB6_IPV6_ADDR_SIZE], uint8_t depth) { - int i = 0; - uint8_t p_depth, msk; - - for (p_depth = depth; p_depth >= 8; p_depth -= 8) - i++; - - msk = 1 << (7 - p_depth); - return (ip[i] & msk) != 0; + uint8_t index, msk; + + /* + * depth & 127 clamps depth to values that will not + * read off the end of ip. + * depth is the number of bits deep into ip to traverse, and + * is incremented in blocks of 8 (1 byte). This means the last + * 3 bits are irrelevant to what the index of ip should be. + */ + index = (depth & (UINT8_MAX - 1)) / CHAR_BIT; + + /* + * msk is the bitmask used to extract the bit used to decide the + * direction of the next step of the binary search. + */ + msk = 1 << (7 - (depth & 7)); + + return (ip[index] & msk) != 0; } static inline struct rte_rib6_node * get_nxt_node(struct rte_rib6_node *node, const uint8_t ip[RTE_RIB6_IPV6_ADDR_SIZE]) { + if (node->depth == RIB6_MAXDEPTH) + return NULL; + return (get_dir(ip, node->depth)) ? node->right : node->left; } -- 2.30.2