[dpdk-stable] patch 'fib: fix possible integer overflow' has been queued to stable release 19.11.1

luca.boccassi at gmail.com luca.boccassi at gmail.com
Tue Feb 11 12:22:16 CET 2020

Previous message: [dpdk-stable] patch 'mem: fix munmap in error unwind' has been queued to stable release 19.11.1
Next message: [dpdk-stable] patch 'acl: fix 32-bit match for range field' has been queued to stable release 19.11.1
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

FYI, your patch has been queued to stable release 19.11.1

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 02/13/20. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Thanks.

Luca Boccassi

---
>From fddb5b5cea39f543694928775f69892b369b6d51 Mon Sep 17 00:00:00 2001
From: Vladimir Medvedkin <vladimir.medvedkin at intel.com>
Date: Tue, 21 Jan 2020 15:07:09 +0000
Subject: [PATCH] fib: fix possible integer overflow

[ upstream commit 247a38c52056f3255da357fc6501a1eec414aa23 ]

This commit fixes possible integer overflow for
prev_idx in build_common_root() CID 350596
and
tbl8_idx in write_edge() CID 350597

Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)
overflow_before_widen: Potentially overflowing expression tbl8_idx * 256
with type int (32 bits, signed) is evaluated using 32-bit arithmetic,
and then used in a context that expects an expression of
type uint64_t (64 bits, unsigned).

Coverity issue: 350596, 350597
Fixes: c3e12e0f0354 ("fib: add dataplane algorithm for IPv6")

Signed-off-by: Vladimir Medvedkin <vladimir.medvedkin at intel.com>
---
 lib/librte_fib/trie.c | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/lib/librte_fib/trie.c b/lib/librte_fib/trie.c
index 124aa8b98b..2ae2add4f3 100644
--- a/lib/librte_fib/trie.c
+++ b/lib/librte_fib/trie.c
@@ -240,9 +240,8 @@ tbl8_alloc(struct rte_trie_tbl *dp, uint64_t nh)
 	tbl8_idx = tbl8_get(dp);
 	if (tbl8_idx < 0)
 		return tbl8_idx;
-	tbl8_ptr = (uint8_t *)dp->tbl8 +
-		((tbl8_idx * TRIE_TBL8_GRP_NUM_ENT) <<
-		dp->nh_sz);
+	tbl8_ptr = get_tbl_p_by_idx(dp->tbl8,
+		tbl8_idx * TRIE_TBL8_GRP_NUM_ENT, dp->nh_sz);
 	/*Init tbl8 entries with nexthop from tbl24*/
 	write_to_dp((void *)tbl8_ptr, nh, dp->nh_sz,
 		TRIE_TBL8_GRP_NUM_ENT);
@@ -317,7 +316,7 @@ get_idx(const uint8_t *ip, uint32_t prev_idx, int bytes, int first_byte)
 		bitshift = (int8_t)(((first_byte + bytes - 1) - i)*BYTE_SIZE);
 		idx |= ip[i] <<  bitshift;
 	}
-	return (prev_idx * 256) + idx;
+	return (prev_idx * TRIE_TBL8_GRP_NUM_ENT) + idx;
 }
 
 static inline uint64_t
@@ -354,8 +353,8 @@ recycle_root_path(struct rte_trie_tbl *dp, const uint8_t *ip_part,
 		return;
 
 	if (common_tbl8 != 0) {
-		p = get_tbl_p_by_idx(dp->tbl8, (val >> 1) * 256 + *ip_part,
-			dp->nh_sz);
+		p = get_tbl_p_by_idx(dp->tbl8, (val >> 1) *
+			TRIE_TBL8_GRP_NUM_ENT + *ip_part, dp->nh_sz);
 		recycle_root_path(dp, ip_part + 1, common_tbl8 - 1, p);
 	}
 	tbl8_recycle(dp, prev, val >> 1);
@@ -388,7 +387,8 @@ build_common_root(struct rte_trie_tbl *dp, const uint8_t *ip,
 		j = i;
 		cur_tbl = dp->tbl8;
 	}
-	*tbl = get_tbl_p_by_idx(cur_tbl, prev_idx * 256, dp->nh_sz);
+	*tbl = get_tbl_p_by_idx(cur_tbl, prev_idx * TRIE_TBL8_GRP_NUM_ENT,
+		dp->nh_sz);
 	return 0;
 }
 
@@ -411,8 +411,8 @@ write_edge(struct rte_trie_tbl *dp, const uint8_t *ip_part, uint64_t next_hop,
 				return tbl8_idx;
 			val = (tbl8_idx << 1)|TRIE_EXT_ENT;
 		}
-		p = get_tbl_p_by_idx(dp->tbl8, (tbl8_idx * 256) + *ip_part,
-			dp->nh_sz);
+		p = get_tbl_p_by_idx(dp->tbl8, (tbl8_idx *
+			TRIE_TBL8_GRP_NUM_ENT) + *ip_part, dp->nh_sz);
 		ret = write_edge(dp, ip_part + 1, next_hop, len - 1, edge, p);
 		if (ret < 0)
 			return ret;
@@ -420,8 +420,8 @@ write_edge(struct rte_trie_tbl *dp, const uint8_t *ip_part, uint64_t next_hop,
 			write_to_dp((uint8_t *)p + (1 << dp->nh_sz),
 				next_hop << 1, dp->nh_sz, UINT8_MAX - *ip_part);
 		} else {
-			write_to_dp(get_tbl_p_by_idx(dp->tbl8, tbl8_idx * 256,
-				dp->nh_sz),
+			write_to_dp(get_tbl_p_by_idx(dp->tbl8, tbl8_idx *
+				TRIE_TBL8_GRP_NUM_ENT, dp->nh_sz),
 				next_hop << 1, dp->nh_sz, *ip_part);
 		}
 		tbl8_recycle(dp, &val, tbl8_idx);
-- 
2.20.1

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2020-02-11 11:17:45.089401763 +0000
+++ 0190-fib-fix-possible-integer-overflow.patch	2020-02-11 11:17:38.844009649 +0000
@@ -1,8 +1,10 @@
-From 247a38c52056f3255da357fc6501a1eec414aa23 Mon Sep 17 00:00:00 2001
+From fddb5b5cea39f543694928775f69892b369b6d51 Mon Sep 17 00:00:00 2001
 From: Vladimir Medvedkin <vladimir.medvedkin at intel.com>
 Date: Tue, 21 Jan 2020 15:07:09 +0000
 Subject: [PATCH] fib: fix possible integer overflow
 
+[ upstream commit 247a38c52056f3255da357fc6501a1eec414aa23 ]
+
 This commit fixes possible integer overflow for
 prev_idx in build_common_root() CID 350596
 and
@@ -16,7 +18,6 @@
 
 Coverity issue: 350596, 350597
 Fixes: c3e12e0f0354 ("fib: add dataplane algorithm for IPv6")
-Cc: stable at dpdk.org
 
 Signed-off-by: Vladimir Medvedkin <vladimir.medvedkin at intel.com>
 ---

Previous message: [dpdk-stable] patch 'mem: fix munmap in error unwind' has been queued to stable release 19.11.1
Next message: [dpdk-stable] patch 'acl: fix 32-bit match for range field' has been queued to stable release 19.11.1
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list