From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 0FE43A0C4C
	for <public@inbox.dpdk.org>; Mon, 12 Jul 2021 15:11:51 +0200 (CEST)
Received: from [217.70.189.124] (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id 061204119D;
	Mon, 12 Jul 2021 15:11:51 +0200 (CEST)
Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com
 [209.85.221.49]) by mails.dpdk.org (Postfix) with ESMTP id 2DC1A4069E
 for <stable@dpdk.org>; Mon, 12 Jul 2021 15:11:50 +0200 (CEST)
Received: by mail-wr1-f49.google.com with SMTP id l7so24630235wrv.7
 for <stable@dpdk.org>; Mon, 12 Jul 2021 06:11:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=v5B6/VcefFq/iH8wiaNDCe56tCHp17NLfyznYhK6SKA=;
 b=QxgH0mKqelv1zeuqICrucrG/uYH1s8tBBpBpPKh9NoQ+cduL+jopjqLYZi3rqH/zgd
 UPOnXmQDofypLAddLaV9/N7qC4CfGFnxT6zF/I24tPf0ns0oxG0FveBDi5f34nhLWVxP
 pM8QOfRnL5/t1NSwWyqj3QRDBp+zTILiKm0a5PGQjSrdOLAN5jT6FU34UhR89iIllsEO
 XizVJI1G4j4A51gSjpu8aHlLy+kgaKN5h3cLW2yZuqkjDqCd8G8niZ7968hBH3rV3ptG
 71di+C1HSIuhPNkQlVRimRulLIwqPLANGQVPirTPCGxZxU4VU/4Npt9blHO/Or9u7VC2
 Jk7w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=v5B6/VcefFq/iH8wiaNDCe56tCHp17NLfyznYhK6SKA=;
 b=ke/bSlt2007lL4yplQyLx3+0161Gh2IYJtwx2vhFOpx2U4QR+VPP8yi2exwX6N4gyp
 4OueY/lxXfRWMboa8zTL8PtBVd0fMHSFJTtpbtwXRz4n5TnImwsG/mG6UZiLfJR7g9L/
 Mvluo0zxXD0E/Bu8X/eRJBlv/8CKSmgMS/HAH95Yo5ztfVEK9KUN7D0tTrem9ScaUwx6
 Z1s+6n2QFXCWcYweTQE1u7BrvpntVZxAceZHDdDfryW1WhmtwjfuPNRkWFEzP2CGyCe1
 8pRf+BjR6zS79DQSsr/1UdAB/PDwpgfe2cOxclhIXcL4qCCIUoflbEzI1wddxxYwj1CY
 IwXA==
X-Gm-Message-State: AOAM533Y5OIvfe/ALg227DD3e8M6zGTCaBApFHASeTGSmX2CIbenGFGX
 SHEYiLOnSuyIHHnAaJ/uubY=
X-Google-Smtp-Source: ABdhPJwQCu95V0TsvltYFL1H8JXGk0ssuaYLyhobSk5hdKnBGU7xJr/7fbn1q2kCcAFqsaIUs5g+FA==
X-Received: by 2002:adf:f907:: with SMTP id b7mr58657240wrr.357.1626095509983; 
 Mon, 12 Jul 2021 06:11:49 -0700 (PDT)
Received: from localhost ([137.220.125.106])
 by smtp.gmail.com with ESMTPSA id y13sm14257123wrp.80.2021.07.12.06.11.48
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 12 Jul 2021 06:11:48 -0700 (PDT)
From: luca.boccassi@gmail.com
To: Owen Hilyard <ohilyard@iol.unh.edu>
Cc: Vladimir Medvedkin <vladimir.medvedkin@intel.com>,
 dpdk stable <stable@dpdk.org>
Date: Mon, 12 Jul 2021 14:04:29 +0100
Message-Id: <20210712130551.2462159-34-luca.boccassi@gmail.com>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20210712130551.2462159-1-luca.boccassi@gmail.com>
References: <20210712130551.2462159-1-luca.boccassi@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: [dpdk-stable] patch 'rib: fix max depth IPv6 lookup' has been
 queued to stable release 20.11.3
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
Errors-To: stable-bounces@dpdk.org
Sender: "stable" <stable-bounces@dpdk.org>

Hi,

FYI, your patch has been queued to stable release 20.11.3

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 07/14/21. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/bluca/dpdk-stable

This queued commit can be viewed at:
https://github.com/bluca/dpdk-stable/commit/f544eab528ffab4fcccd697b770a5336993a23e2

Thanks.

Luca Boccassi

---
>From f544eab528ffab4fcccd697b770a5336993a23e2 Mon Sep 17 00:00:00 2001
From: Owen Hilyard <ohilyard@iol.unh.edu>
Date: Wed, 23 Jun 2021 11:17:29 -0400
Subject: [PATCH] rib: fix max depth IPv6 lookup

[ upstream commit 03b8372a9a73a6b3dce4ce6b447ea37c398a4685 ]

ASAN found a stack buffer overflow in lib/rib/rte_rib6.c:get_dir.
The fix for the stack buffer overflow was to make sure depth
was always < 128, since when depth = 128 it caused the index
into the ip address to be 16, which read off the end of the array.

While trying to solve the buffer overflow, I noticed that a few
changes could be made to remove the for loop entirely.

Fixes: f7e861e21c46 ("rib: support IPv6")

Signed-off-by: Owen Hilyard <ohilyard@iol.unh.edu>
Acked-by: Vladimir Medvedkin <vladimir.medvedkin@intel.com>
---
 lib/librte_rib/rte_rib6.c | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/lib/librte_rib/rte_rib6.c b/lib/librte_rib/rte_rib6.c
index f6c55ee454..96424e9c9f 100644
--- a/lib/librte_rib/rte_rib6.c
+++ b/lib/librte_rib/rte_rib6.c
@@ -79,20 +79,33 @@ is_covered(const uint8_t ip1[RTE_RIB6_IPV6_ADDR_SIZE],
 static inline int
 get_dir(const uint8_t ip[RTE_RIB6_IPV6_ADDR_SIZE], uint8_t depth)
 {
-	int i = 0;
-	uint8_t p_depth, msk;
+	uint8_t index, msk;
 
-	for (p_depth = depth; p_depth >= 8; p_depth -= 8)
-		i++;
+	/*
+	 * depth & 127 clamps depth to values that will not
+	 * read off the end of ip.
+	 * depth is the number of bits deep into ip to traverse, and
+	 * is incremented in blocks of 8 (1 byte). This means the last
+	 * 3 bits are irrelevant to what the index of ip should be.
+	 */
+	index = (depth & (UINT8_MAX - 1)) / CHAR_BIT;
 
-	msk = 1 << (7 - p_depth);
-	return (ip[i] & msk) != 0;
+	/*
+	 * msk is the bitmask used to extract the bit used to decide the
+	 * direction of the next step of the binary search.
+	 */
+	msk = 1 << (7 - (depth & 7));
+
+	return (ip[index] & msk) != 0;
 }
 
 static inline struct rte_rib6_node *
 get_nxt_node(struct rte_rib6_node *node,
 	const uint8_t ip[RTE_RIB6_IPV6_ADDR_SIZE])
 {
+	if (node->depth == RIB6_MAXDEPTH)
+		return NULL;
+
 	return (get_dir(ip, node->depth)) ? node->right : node->left;
 }
 
-- 
2.30.2

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2021-07-12 13:41:38.477712027 +0100
+++ 0034-rib-fix-max-depth-IPv6-lookup.patch	2021-07-12 13:41:36.298118611 +0100
@@ -1 +1 @@
-From 03b8372a9a73a6b3dce4ce6b447ea37c398a4685 Mon Sep 17 00:00:00 2001
+From f544eab528ffab4fcccd697b770a5336993a23e2 Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit 03b8372a9a73a6b3dce4ce6b447ea37c398a4685 ]
+
@@ -15 +16,0 @@
-Cc: stable@dpdk.org
@@ -20 +21 @@
- lib/rib/rte_rib6.c | 25 +++++++++++++++++++------
+ lib/librte_rib/rte_rib6.c | 25 +++++++++++++++++++------
@@ -23 +24 @@
-diff --git a/lib/rib/rte_rib6.c b/lib/rib/rte_rib6.c
+diff --git a/lib/librte_rib/rte_rib6.c b/lib/librte_rib/rte_rib6.c
@@ -25,2 +26,2 @@
---- a/lib/rib/rte_rib6.c
-+++ b/lib/rib/rte_rib6.c
+--- a/lib/librte_rib/rte_rib6.c
++++ b/lib/librte_rib/rte_rib6.c