On Thu, Jan 14, 2021 at 02:15:59PM +0100, Philippe Mathieu-Daudé wrote:
> +Jason +Dmitry
>
> On 1/14/21 8:07 AM, Miroslav Rezanina wrote:
> > When building qemu with GCC 11, compiling eth.c file produce following
> > warning:
> >
> > warning: array subscript 'struct ip6_ext_hdr_routing[0]' is partly
> > outside array bounds of 'struct ip6_ext_hdr[1]' [-Warray-bounds]
> >
> > This is caused by retyping from ip6_ext_hdr to ip6_ext_hdr_routing that has
> > more
> > attributes.
> >
> > As this usage is expected, suppress the warning temporarily through the
> > function
> > using this retyping.
>
> This is not expected, this is a bug...
Thanks for confirmation, my initial idea was the same but then I got
impression (do not remember where) that ip6_ext_hdr is not type where
data are initially written to so the overflow here is expected.
Mirek
>
> >
> > Signed-off-by: Miroslav Rezanina <mreza...@redhat.com>
> > ---
> > net/eth.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/net/eth.c b/net/eth.c
> > index 1e0821c5f8..b9bdd0435c 100644
> > --- a/net/eth.c
> > +++ b/net/eth.c
> > @@ -405,6 +405,8 @@ _eth_get_rss_ex_dst_addr(const struct iovec *pkt, int
> > pkt_frags,
> > struct ip6_ext_hdr *ext_hdr,
> > struct in6_address *dst_addr)
> > {
> > +#pragma GCC diagnostic push
> > +#pragma GCC diagnostic ignored "-Warray-bounds"
> > struct ip6_ext_hdr_routing *rthdr = (struct ip6_ext_hdr_routing *)
> > ext_hdr;
>
> eth_parse_ipv6_hdr() called iov_to_buf() to fill the 2 bytes of ext_hdr.
>
> > if ((rthdr->rtype == 2) &&
>
> Here we access after the 2 bytes filled... rthdr->rtype is somewhere on
> eth_parse_ipv6_hdr's stack, its content is unknown.
>
> > @@ -426,6 +428,7 @@ _eth_get_rss_ex_dst_addr(const struct iovec *pkt, int
> > pkt_frags,
> > }
> >
> > return false;
> > +#pragma GCC diagnostic pop
>
> Nacked-by: Philippe Mathieu-Daudé <phi...@redhat.com>
>
>
