[PATCH dpdk 1/2] net/ipv6: fix overflowed array index reads

Fri, 25 Oct 2024 00:16:22 -0700 

Fix the following overflowed array index reads reported by Coverity:

107 static inline bool
108 rte_ipv6_addr_eq_prefix(const struct rte_ipv6_addr *a,
                            const struct rte_ipv6_addr *b, uint8_t depth)
109 {
        1. Condition depth < 128 /* 16 * 8 */, taking true branch.
110        if (depth < RTE_IPV6_MAX_DEPTH) {
        2. cast_overflow: Truncation due to cast operation on depth / 8
                          from 32 to 8 bits.
        3. overflow_assign: d is assigned from depth / 8.
111                uint8_t d = depth / 8;
112                uint8_t mask = ~(UINT8_MAX >> (depth % 8));
113
        CID 446756: (#1 of 1): Overflowed array index read
        4. deref_overflow: d, which might have overflowed, is used in
                           a pointer index in a->a[d].
114                if ((a->a[d] ^ b->a[d]) & mask)
115                        return false;
116
117                return memcmp(a, b, d) == 0;
118        }
119        return rte_ipv6_addr_eq(a, b);
120 }

The same issue has been reported both in rte_ipv6_addr_eq_prefix() and
rte_ipv6_addr_mask(). All arithmetic operations are made using regular
integers and then truncated on assign if necessary (or if explicitly
down cast to a smaller type). In this case, the result of (depth / 8) is
assumed to be on 32 bits and is implicitly down cast 8 bits. This is
causing a warning because it may result in unexpected behaviour.

Change the type of the d variables to unsigned int (32bit by default) to
avoid the overflow warning. Since depth is strictly lesser than
RTE_IPV6_MAX_DEPTH, d will always be lesser than RTE_IPV6_ADDR_SIZE.

Replace the magic 8 literals with CHAR_BIT to be consistent with the
definition of RTE_IPV6_MAX_DEPTH.

Coverity issue: 446756, 446758
Fixes: ca786def84ca ("net: add IPv6 address structure and utils")

Signed-off-by: Robin Jarry <rja...@redhat.com>
---
 lib/net/rte_ip6.h | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/net/rte_ip6.h b/lib/net/rte_ip6.h
index 3ae38811b27c..c015c977573d 100644
--- a/lib/net/rte_ip6.h
+++ b/lib/net/rte_ip6.h
@@ -84,8 +84,8 @@ static inline void
 rte_ipv6_addr_mask(struct rte_ipv6_addr *ip, uint8_t depth)
 {
        if (depth < RTE_IPV6_MAX_DEPTH) {
-               uint8_t d = depth / 8;
-               uint8_t mask = ~(UINT8_MAX >> (depth % 8));
+               unsigned int d = depth / CHAR_BIT;
+               uint8_t mask = ~(UINT8_MAX >> (depth % CHAR_BIT));
                ip->a[d] &= mask;
                d++;
                memset(&ip->a[d], 0, sizeof(*ip) - d);
@@ -108,8 +108,8 @@ static inline bool
 rte_ipv6_addr_eq_prefix(const struct rte_ipv6_addr *a, const struct 
rte_ipv6_addr *b, uint8_t depth)
 {
        if (depth < RTE_IPV6_MAX_DEPTH) {
-               uint8_t d = depth / 8;
-               uint8_t mask = ~(UINT8_MAX >> (depth % 8));
+               unsigned int d = depth / CHAR_BIT;
+               uint8_t mask = ~(UINT8_MAX >> (depth % CHAR_BIT));
 
                if ((a->a[d] ^ b->a[d]) & mask)
                        return false;
-- 
2.47.0

Reply via email to