[dpdk-stable] patch 'security: fix verification of parameters' has been queued to LTS release 18.11.9
Kevin Traynor
ktraynor at redhat.com
Thu May 28 18:22:27 CEST 2020
Hi,
FYI, your patch has been queued to LTS release 18.11.9
Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 06/03/20. So please
shout if anyone has objections.
Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.
Queued patches are on a temporary branch at:
https://github.com/kevintraynor/dpdk-stable-queue
This queued commit can be viewed at:
https://github.com/kevintraynor/dpdk-stable-queue/commit/a50fdf67e881349037cc68db43874582cfa6d550
Thanks.
Kevin.
---
>From a50fdf67e881349037cc68db43874582cfa6d550 Mon Sep 17 00:00:00 2001
From: Lukasz Wojciechowski <l.wojciechow at partner.samsung.com>
Date: Thu, 9 Apr 2020 19:24:50 +0200
Subject: [PATCH] security: fix verification of parameters
[ upstream commit b6ee98547847e64b527484ab453a9f81ff3ce067 ]
This patch adds verification of the parameters to the ret_security API
functions. All required parameters are checked if they are not NULL.
Checks verify full chain of pointers, e.g. in case of verification of
"instance->ops->session_XXX", they check also "instance"
and "instance->ops".
Fixes: c261d1431bd8 ("security: introduce security API and framework")
Fixes: 1a08c379b9b5 ("security: support user data retrieval")
Signed-off-by: Lukasz Wojciechowski <l.wojciechow at partner.samsung.com>
Acked-by: Anoob Joseph <anoobj at marvell.com>
Acked-by: Akhil Goyal <akhil.goyal at nxp.com>
---
lib/librte_security/rte_security.c | 59 +++++++++++++++++++++++-------
1 file changed, 46 insertions(+), 13 deletions(-)
diff --git a/lib/librte_security/rte_security.c b/lib/librte_security/rte_security.c
index a222b33cec..4f9639d693 100644
--- a/lib/librte_security/rte_security.c
+++ b/lib/librte_security/rte_security.c
@@ -2,4 +2,5 @@
* Copyright 2017 NXP.
* Copyright(c) 2017 Intel Corporation.
+ * Copyright (c) 2020 Samsung Electronics Co., Ltd All Rights Reserved
*/
@@ -10,4 +11,17 @@
#include "rte_security_driver.h"
+/* Macro to check for invalid pointers */
+#define RTE_PTR_OR_ERR_RET(ptr, retval) do { \
+ if ((ptr) == NULL) \
+ return retval; \
+} while (0)
+
+/* Macro to check for invalid pointers chains */
+#define RTE_PTR_CHAIN3_OR_ERR_RET(p1, p2, p3, retval, last_retval) do { \
+ RTE_PTR_OR_ERR_RET(p1, retval); \
+ RTE_PTR_OR_ERR_RET(p1->p2, retval); \
+ RTE_PTR_OR_ERR_RET(p1->p2->p3, last_retval); \
+} while (0)
+
struct rte_security_session *
rte_security_session_create(struct rte_security_ctx *instance,
@@ -17,8 +31,7 @@ rte_security_session_create(struct rte_security_ctx *instance,
struct rte_security_session *sess = NULL;
- if (conf == NULL)
- return NULL;
-
- RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->session_create, NULL);
+ RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, session_create, NULL, NULL);
+ RTE_PTR_OR_ERR_RET(conf, NULL);
+ RTE_PTR_OR_ERR_RET(mp, NULL);
if (rte_mempool_get(mp, (void **)&sess))
@@ -39,5 +52,9 @@ rte_security_session_update(struct rte_security_ctx *instance,
struct rte_security_session_conf *conf)
{
- RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->session_update, -ENOTSUP);
+ RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, session_update, -EINVAL,
+ -ENOTSUP);
+ RTE_PTR_OR_ERR_RET(sess, -EINVAL);
+ RTE_PTR_OR_ERR_RET(conf, -EINVAL);
+
return instance->ops->session_update(instance->device, sess, conf);
}
@@ -46,5 +63,6 @@ unsigned int
rte_security_session_get_size(struct rte_security_ctx *instance)
{
- RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->session_get_size, 0);
+ RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, session_get_size, 0, 0);
+
return instance->ops->session_get_size(instance->device);
}
@@ -55,5 +73,9 @@ rte_security_session_stats_get(struct rte_security_ctx *instance,
struct rte_security_stats *stats)
{
- RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->session_stats_get, -ENOTSUP);
+ RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, session_stats_get, -EINVAL,
+ -ENOTSUP);
+ /* Parameter sess can be NULL in case of getting global statistics. */
+ RTE_PTR_OR_ERR_RET(stats, -EINVAL);
+
return instance->ops->session_stats_get(instance->device, sess, stats);
}
@@ -65,5 +87,7 @@ rte_security_session_destroy(struct rte_security_ctx *instance,
int ret;
- RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->session_destroy, -ENOTSUP);
+ RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, session_destroy, -EINVAL,
+ -ENOTSUP);
+ RTE_PTR_OR_ERR_RET(sess, -EINVAL);
if (instance->sess_cnt)
@@ -82,5 +106,9 @@ rte_security_set_pkt_metadata(struct rte_security_ctx *instance,
struct rte_mbuf *m, void *params)
{
- RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->set_pkt_metadata, -ENOTSUP);
+#ifdef RTE_DEBUG
+ RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, set_pkt_metadata, -EINVAL,
+ -ENOTSUP);
+ RTE_PTR_OR_ERR_RET(sess, -EINVAL);
+#endif
return instance->ops->set_pkt_metadata(instance->device,
sess, m, params);
@@ -92,5 +120,7 @@ rte_security_get_userdata(struct rte_security_ctx *instance, uint64_t md)
void *userdata = NULL;
- RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->get_userdata, NULL);
+#ifdef RTE_DEBUG
+ RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, get_userdata, NULL, NULL);
+#endif
if (instance->ops->get_userdata(instance->device, md, &userdata))
return NULL;
@@ -102,5 +132,6 @@ const struct rte_security_capability *
rte_security_capabilities_get(struct rte_security_ctx *instance)
{
- RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->capabilities_get, NULL);
+ RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, capabilities_get, NULL, NULL);
+
return instance->ops->capabilities_get(instance->device);
}
@@ -114,5 +145,7 @@ rte_security_capability_get(struct rte_security_ctx *instance,
uint16_t i = 0;
- RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->capabilities_get, NULL);
+ RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, capabilities_get, NULL, NULL);
+ RTE_PTR_OR_ERR_RET(idx, NULL);
+
capabilities = instance->ops->capabilities_get(instance->device);
@@ -122,5 +155,5 @@ rte_security_capability_get(struct rte_security_ctx *instance,
while ((capability = &capabilities[i++])->action
!= RTE_SECURITY_ACTION_TYPE_NONE) {
- if (capability->action == idx->action &&
+ if (capability->action == idx->action &&
capability->protocol == idx->protocol) {
if (idx->protocol == RTE_SECURITY_PROTOCOL_IPSEC) {
--
2.21.3
---
Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- - 2020-05-28 17:13:01.218668789 +0100
+++ 0040-security-fix-verification-of-parameters.patch 2020-05-28 17:12:59.108556242 +0100
@@ -1 +1 @@
-From b6ee98547847e64b527484ab453a9f81ff3ce067 Mon Sep 17 00:00:00 2001
+From a50fdf67e881349037cc68db43874582cfa6d550 Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit b6ee98547847e64b527484ab453a9f81ff3ce067 ]
+
@@ -15 +16,0 @@
-Cc: stable at dpdk.org
@@ -25 +26 @@
-index bc81ce15d1..38ccc2ea9c 100644
+index a222b33cec..4f9639d693 100644
More information about the stable
mailing list