From: Owen Hilyard <ohilyard@iol.unh.edu> To: dpdk stable <stable@dpdk.org> Subject: [dpdk-stable] Fwd: [PATCH v3] lib/rte_rib6: fix stack buffer overflow Date: Mon, 21 Jun 2021 09:30:19 -0400 Message-ID: <CAHx6DYAmRWXp2+a4avkM7hghBwzXNuiMoKJLP=uags4d-rUWCQ@mail.gmail.com> (raw) In-Reply-To: <20210621132834.21673-1-ohilyard@iol.unh.edu> Sorry about the forward, I forgot to CC stable when I sent it out. ---------- Forwarded message --------- From: <ohilyard@iol.unh.edu> Date: Mon, Jun 21, 2021 at 9:28 AM Subject: [PATCH v3] lib/rte_rib6: fix stack buffer overflow To: <vladimir.medvedkin@intel.com> Cc: <dev@dpdk.org>, <stephen@networkplumber.org>, <david.marchand@redhat.com>, Owen Hilyard <ohilyard@iol.unh.edu> From: Owen Hilyard <ohilyard@iol.unh.edu> ASAN found a stack buffer overflow in lib/rib/rte_rib6.c:get_dir. The fix for the stack buffer overflow was to make sure depth was always < 128, since when depth = 128 it caused the index into the ip address to be 16, which read off the end of the array. While trying to solve the buffer overflow, I noticed that a few changes could be made to remove the for loop entirely. Fixes: f7e861e21c ("rib: support IPv6") Signed-off-by: Owen Hilyard <ohilyard@iol.unh.edu> --- lib/rib/rte_rib6.c | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/lib/rib/rte_rib6.c b/lib/rib/rte_rib6.c index f6c55ee45..96424e9c9 100644 --- a/lib/rib/rte_rib6.c +++ b/lib/rib/rte_rib6.c @@ -79,20 +79,33 @@ is_covered(const uint8_t ip1[RTE_RIB6_IPV6_ADDR_SIZE], static inline int get_dir(const uint8_t ip[RTE_RIB6_IPV6_ADDR_SIZE], uint8_t depth) { - int i = 0; - uint8_t p_depth, msk; - - for (p_depth = depth; p_depth >= 8; p_depth -= 8) - i++; - - msk = 1 << (7 - p_depth); - return (ip[i] & msk) != 0; + uint8_t index, msk; + + /* + * depth & 127 clamps depth to values that will not + * read off the end of ip. + * depth is the number of bits deep into ip to traverse, and + * is incremented in blocks of 8 (1 byte). This means the last + * 3 bits are irrelevant to what the index of ip should be. + */ + index = (depth & (UINT8_MAX - 1)) / CHAR_BIT; + + /* + * msk is the bitmask used to extract the bit used to decide the + * direction of the next step of the binary search. + */ + msk = 1 << (7 - (depth & 7)); + + return (ip[index] & msk) != 0; } static inline struct rte_rib6_node * get_nxt_node(struct rte_rib6_node *node, const uint8_t ip[RTE_RIB6_IPV6_ADDR_SIZE]) { + if (node->depth == RIB6_MAXDEPTH) + return NULL; + return (get_dir(ip, node->depth)) ? node->right : node->left; } -- 2.30.2
next parent reply other threads:[~2021-06-21 13:30 UTC|newest] Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top [not found] <20210616181833.356159-1-ohilyard@iol.unh.edu> [not found] ` <20210621132834.21673-1-ohilyard@iol.unh.edu> 2021-06-21 13:30 ` Owen Hilyard [this message] 2021-06-23 15:17 ` [dpdk-stable] [PATCH v4] rib: fix max depth IPv6 lookup ohilyard 2021-06-24 13:23 ` David Marchand
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to='CAHx6DYAmRWXp2+a4avkM7hghBwzXNuiMoKJLP=uags4d-rUWCQ@mail.gmail.com' \ --to=ohilyard@iol.unh.edu \ --cc=stable@dpdk.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
patches for DPDK stable branches This inbox may be cloned and mirrored by anyone: git clone --mirror https://inbox.dpdk.org/stable/0 stable/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 stable stable/ https://inbox.dpdk.org/stable \ stable@dpdk.org public-inbox-index stable Example config snippet for mirrors. Newsgroup available over NNTP: nntp://inbox.dpdk.org/inbox.dpdk.stable AGPL code for this site: git clone https://public-inbox.org/public-inbox.git