On Wed, Mar 27, 2024, at 16:23, Alexander Lobakin wrote:
> +static int pfcp_encap_recv(struct sock *sk, struct sk_buff *skb)
> +{
> + IP_TUNNEL_DECLARE_FLAGS(flags) = { };
> + struct metadata_dst *tun_dst;
> + struct pfcp_metadata *md;
> + struct pfcphdr *unparsed;
> + struct pfcp_dev *pfcp;
> +
> + if (unlikely(!pskb_may_pull(skb, PFCP_HLEN)))
> + goto drop;
> +
> + pfcp = rcu_dereference_sk_user_data(sk);
> + if (unlikely(!pfcp))
> + goto drop;
> +
> + unparsed = pfcp_hdr(skb);
> +
> + ip_tunnel_flags_zero(flags);
> + tun_dst = udp_tun_rx_dst(skb, sk->sk_family, flags, 0,
> + sizeof(*md));
> + if (unlikely(!tun_dst))
> + goto drop;
> +
> + md = ip_tunnel_info_opts(&tun_dst->u.tun_info);
> + if (unlikely(!md))
> + goto drop;
> +
> + if (unparsed->flags & PFCP_SEID_FLAG)
> + pfcp_session_recv(pfcp, skb, md);
> + else
> + pfcp_node_recv(pfcp, skb, md);
> +
> + __set_bit(IP_TUNNEL_PFCP_OPT_BIT, flags);
> + ip_tunnel_info_opts_set(&tun_dst->u.tun_info, md, sizeof(*md),
> + flags);
> +
The memcpy() in the ip_tunnel_info_opts_set() causes
a string.h fortification warning, with at least gcc-13:
In function 'fortify_memcpy_chk',
inlined from 'ip_tunnel_info_opts_set' at
include/net/ip_tunnels.h:619:3,
inlined from 'pfcp_encap_recv' at drivers/net/pfcp.c:84:2:
include/linux/fortify-string.h:553:25: error: call to
'__write_overflow_field' declared with attribute warning: detected write beyond
size of field (1st parameter); maybe use struct_group()?
[-Werror=attribute-warning]
553 | __write_overflow_field(p_size_field, size);
As far as I can tell, the warning is caused by the
ambiguity of the union, but what I noticed is that
it also seems to copy a buffer to itself, as 'md'
is initialized to tun_dst->u.tun_info as well.
Is this intentional?
Arnd
