[dpdk-dev] [PATCH] lib/rte_rib6: fix stack buffer overflow
Medvedkin, Vladimir
vladimir.medvedkin at intel.com
Wed Jun 16 19:27:41 CEST 2021
Hi Owen,
Thanks for the fix.
I like your solution with removing the loop. However, while this fixes
the buffer overflow, IMO it is not complete, because get_dir() shouldn't
be called in cases where depth = 128. In this case checking the MSB of
the ip is not quite right thing.
The only place where it is possible (depth == 128) is on calling
get_nxt_node() from rte_rib6_lookup(), so I would suggest adding
something like this:
if (depth == 128)
return NULL;
to get_nxt_node() along with your changes.
Also, apart from Stephen's comments, please add the corresponding
fixline to the v2.
Thanks!
On 16/06/2021 19:56, Stephen Hemminger wrote:
> On Wed, 16 Jun 2021 12:07:29 -0400
> ohilyard at iol.unh.edu wrote:
>
>> From: Owen Hilyard <ohilyard at iol.unh.edu>
>>
>> ASAN found a stack buffer overflow in lib/rib/rte_rib6.c:get_dir.
>> The fix for the stack buffer overflow was to make sure depth
>> was always < 128, since when depth = 128 it caused the index
>> into the ip address to be 16, which read off the end of the array.
>>
>> While trying to solve the buffer overflow, I noticed that a few
>> changes could be made to remove the for loop entirely.
>>
>> Signed-off-by: Owen Hilyard <ohilyard at iol.unh.edu>
>> ---
>> lib/rib/rte_rib6.c | 22 ++++++++++++++--------
>> 1 file changed, 14 insertions(+), 8 deletions(-)
>>
>> diff --git a/lib/rib/rte_rib6.c b/lib/rib/rte_rib6.c
>> index f6c55ee45..2de50449d 100644
>> --- a/lib/rib/rte_rib6.c
>> +++ b/lib/rib/rte_rib6.c
>> @@ -79,14 +79,20 @@ is_covered(const uint8_t ip1[RTE_RIB6_IPV6_ADDR_SIZE],
>> static inline int
>> get_dir(const uint8_t ip[RTE_RIB6_IPV6_ADDR_SIZE], uint8_t depth)
>> {
>> - int i = 0;
>> - uint8_t p_depth, msk;
>> -
>> - for (p_depth = depth; p_depth >= 8; p_depth -= 8)
>> - i++;
>> -
>> - msk = 1 << (7 - p_depth);
>> - return (ip[i] & msk) != 0;
>> + int index, msk;
>> + /* depth & 127 clamps depth to values that will not
>
> Please put blank line after declarations for clarity.
> Since index and mask are not signed values, please make them unsigned.
> Better yet, make them sized to the appropriate number of bits.
>
>> + * read off the end of ip.
>> + * depth is the number of bits deep into ip to traverse, and
>> + * is incremented in blocks of 8 (1 byte). This means the last
>> + * 3 bits are irrelevant to what the index of ip should be.
>> + */
>> + index = (depth & 127) >> 3;
>> + /*
>> + * msk is the bitmask used to extract the bit used to decide the
>> + * direction of the next step of the binary search.
>> + */
>> + msk = 1 << (7 - (depth & 7));
>> + return (ip[index] & msk) != 0;
>> }
>>
>> static inline struct rte_rib6_node *
>
--
Regards,
Vladimir
More information about the dev
mailing list