Fix the following out-of-bounds read in rte_ipv6_addr_mask() reported by
Coverity:
83 static inline void
84 rte_ipv6_addr_mask(struct rte_ipv6_addr *ip, uint8_t depth)
85 {
1. Condition depth < 128 /* 16 * 8 */, taking true branch.
2. cond_at_most: Checking depth < 128 implies that depth may be
up to 127 on the true branch.
86 if (depth < RTE_IPV6_MAX_DEPTH) {
3. assignment: Assigning: d = depth / 8.
The value of d may now be up to 15.
87 uint8_t d = depth / 8;
88 uint8_t mask = ~(UINT8_MAX >> (depth % 8));
89 ip->a[d] &= mask;
4. incr: Incrementing d. The value of d may now be up to 16.
90 d++;
CID 446754: (#1 of 1): Out-of-bounds read (OVERRUN)
5. overrun-local: Overrunning array of 16 bytes at byte offset
16 by dereferencing pointer &ip->a[d].
91 memset(&ip->a[d], 0, sizeof(*ip) - d);
92 }
93 }
Use a simple loop instead of memset.
Coverity issue: 446754
Fixes: ca786def84ca ("net: add IPv6 address structure and utils")
Signed-off-by: Robin Jarry <rja...@redhat.com>
---
lib/net/rte_ip6.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lib/net/rte_ip6.h b/lib/net/rte_ip6.h
index c015c977573d..3843fb7c2fd6 100644
--- a/lib/net/rte_ip6.h
+++ b/lib/net/rte_ip6.h
@@ -88,7 +88,8 @@ rte_ipv6_addr_mask(struct rte_ipv6_addr *ip, uint8_t depth)
uint8_t mask = ~(UINT8_MAX >> (depth % CHAR_BIT));
ip->a[d] &= mask;
d++;
- memset(&ip->a[d], 0, sizeof(*ip) - d);
+ while (d < sizeof(*ip))
+ ip->a[d++] = 0;
}
}
--
2.47.0
