Hi all,
Here are fixes for three coverity issues:
/lib/net/rte_ip6.h: 91 in rte_ipv6_addr_mask()
*** CID 446754: Memory - illegal accesses (OVERRUN)
85 {
86 if (depth < RTE_IPV6_MAX_DEPTH) {
87 uint8_t d = depth / 8;
88 uint8_t mask = ~(UINT8_MAX >> (depth % 8));
89 ip->a[d] &= mask;
90 d++;
>>> CID 446754: Memory - illegal accesses (OVERRUN)
>>> Overrunning array of 16 bytes at byte offset 16 by dereferencing pointer
>>> "&ip->a[d]".
91 memset(&ip->a[d], 0, sizeof(*ip) - d);
92 }
93 }
/lib/net/rte_ip6.h: 114 in rte_ipv6_addr_eq_prefix()
*** CID 446756: Memory - illegal accesses (INTEGER_OVERFLOW)
108 rte_ipv6_addr_eq_prefix(const struct rte_ipv6_addr *a, const struct
rte_ipv6_addr *b, uint8_t depth)
109 {
110 if (depth < RTE_IPV6_MAX_DEPTH) {
111 uint8_t d = depth / 8;
112 uint8_t mask = ~(UINT8_MAX >> (depth % 8));
113
>>> CID 446756: Memory - illegal accesses (INTEGER_OVERFLOW)
>>> "d", which might have overflowed, is used in a pointer index in
>>> "a->a[d]".
114 if ((a->a[d] ^ b->a[d]) & mask)
115 return false;
116
117 return memcmp(a, b, d) == 0;
118 }
119 return rte_ipv6_addr_eq(a, b);
/lib/net/rte_ip6.h: 89 in rte_ipv6_addr_mask()
*** CID 446758: Memory - corruptions (INTEGER_OVERFLOW)
83 static inline void
84 rte_ipv6_addr_mask(struct rte_ipv6_addr *ip, uint8_t depth)
85 {
86 if (depth < RTE_IPV6_MAX_DEPTH) {
87 uint8_t d = depth / 8;
88 uint8_t mask = ~(UINT8_MAX >> (depth % 8));
>>> CID 446758: Memory - corruptions (INTEGER_OVERFLOW)
>>> "d", which might have overflowed, is used in a pointer index in
>>> "ip->a[d]".
89 ip->a[d] &= mask;
90 d++;
91 memset(&ip->a[d], 0, sizeof(*ip) - d);
92 }
93 }
Cheers.
Robin Jarry (2):
net/ipv6: fix overflowed array index reads
net/ipv6: fix out-of-bounds read
lib/net/rte_ip6.h | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
--
2.47.0
