From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 2CC9BA0547 for ; Mon, 21 Jun 2021 15:30:58 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id B862F40040; Mon, 21 Jun 2021 15:30:57 +0200 (CEST) Received: from mail-ot1-f51.google.com (mail-ot1-f51.google.com [209.85.210.51]) by mails.dpdk.org (Postfix) with ESMTP id 640E740040 for ; Mon, 21 Jun 2021 15:30:56 +0200 (CEST) Received: by mail-ot1-f51.google.com with SMTP id v22-20020a0568301416b029044e2d8e855eso8498958otp.8 for ; Mon, 21 Jun 2021 06:30:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iol.unh.edu; s=unh-iol; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=RrOrZd5KLtnaABwiW8X6iL/yvPeA8+uUE2sm8M+6l0Y=; b=dJK4yA1opuUD3gTw1iQv+X1ByZZqEcfpvH/WxHktjkMjJIbJ5qvyiG6lLRkmUOKeNN lrxx4/YNHkE7qI4fCXMTI1jYL+5L9+bsSU74ksm2ev0y8FsQwQPHP3E9ia9+has728md pth6+M7hwH6vr758bp0a2JMdRgeRr8BR7n2ow= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=RrOrZd5KLtnaABwiW8X6iL/yvPeA8+uUE2sm8M+6l0Y=; b=XADv4uahajasH4Pl8mDKBTX4buq6Sh7n1qstXVJTLhTh5Zi09vjnMdcJR91nTlHtrd yUTItYX5fr+txIm0Nh+uxrEm5mkKx6msAWE3XJ7z6oT6hUepdxuwnO0PpLypzXx9Vod9 kt9c2EC0vTQ5fasGtK3JmHUwwnh3wiGQciNd/gaRrtZNKLQWPn3DNJsrOqeqdrHCc2dr WLGr4CowyckppsWh3d2vo8cYAtQs3IPPIvX567/1dj37VsnIvq+g2YgYpIzEAL+FaK5N Aac4RteNLkVDjzZaSsMyYjM374Pnk77jrQJcuHMNYmW6oKVIVRqkhL1f1t5cSCym5V/O yVqA== X-Gm-Message-State: AOAM532Wv7m9kF1jgkXsD1Ca/nUriZ/I3fbfUqHW1mkdZiA6gNy0VGoF W80LtVdx5lPyU1UVXcktmCuMu7VqxL7XeDg+QwISwTPuxU1Hyw== X-Google-Smtp-Source: ABdhPJxHOCw9UGFog3EMx4uhD25zCSmNb74BMYh7ZTcBKLGOnkU4XXe8gUPjAK+ibkatWBRDIbNh+afzcayJyn2aecU= X-Received: by 2002:a05:6830:40b4:: with SMTP id x52mr20493587ott.117.1624282255503; Mon, 21 Jun 2021 06:30:55 -0700 (PDT) MIME-Version: 1.0 References: <20210616181833.356159-1-ohilyard@iol.unh.edu> <20210621132834.21673-1-ohilyard@iol.unh.edu> In-Reply-To: <20210621132834.21673-1-ohilyard@iol.unh.edu> From: Owen Hilyard Date: Mon, 21 Jun 2021 09:30:19 -0400 Message-ID: To: dpdk stable Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 Subject: [dpdk-stable] Fwd: [PATCH v3] lib/rte_rib6: fix stack buffer overflow X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Sender: "stable" Sorry about the forward, I forgot to CC stable when I sent it out. ---------- Forwarded message --------- From: Date: Mon, Jun 21, 2021 at 9:28 AM Subject: [PATCH v3] lib/rte_rib6: fix stack buffer overflow To: Cc: , , , Owen Hilyard From: Owen Hilyard ASAN found a stack buffer overflow in lib/rib/rte_rib6.c:get_dir. The fix for the stack buffer overflow was to make sure depth was always < 128, since when depth = 128 it caused the index into the ip address to be 16, which read off the end of the array. While trying to solve the buffer overflow, I noticed that a few changes could be made to remove the for loop entirely. Fixes: f7e861e21c ("rib: support IPv6") Signed-off-by: Owen Hilyard --- lib/rib/rte_rib6.c | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/lib/rib/rte_rib6.c b/lib/rib/rte_rib6.c index f6c55ee45..96424e9c9 100644 --- a/lib/rib/rte_rib6.c +++ b/lib/rib/rte_rib6.c @@ -79,20 +79,33 @@ is_covered(const uint8_t ip1[RTE_RIB6_IPV6_ADDR_SIZE], static inline int get_dir(const uint8_t ip[RTE_RIB6_IPV6_ADDR_SIZE], uint8_t depth) { - int i = 0; - uint8_t p_depth, msk; - - for (p_depth = depth; p_depth >= 8; p_depth -= 8) - i++; - - msk = 1 << (7 - p_depth); - return (ip[i] & msk) != 0; + uint8_t index, msk; + + /* + * depth & 127 clamps depth to values that will not + * read off the end of ip. + * depth is the number of bits deep into ip to traverse, and + * is incremented in blocks of 8 (1 byte). This means the last + * 3 bits are irrelevant to what the index of ip should be. + */ + index = (depth & (UINT8_MAX - 1)) / CHAR_BIT; + + /* + * msk is the bitmask used to extract the bit used to decide the + * direction of the next step of the binary search. + */ + msk = 1 << (7 - (depth & 7)); + + return (ip[index] & msk) != 0; } static inline struct rte_rib6_node * get_nxt_node(struct rte_rib6_node *node, const uint8_t ip[RTE_RIB6_IPV6_ADDR_SIZE]) { + if (node->depth == RIB6_MAXDEPTH) + return NULL; + return (get_dir(ip, node->depth)) ? node->right : node->left; } -- 2.30.2