[dpdk-stable] patch 'rib: fix max depth IPv6 lookup' has been queued to stable release 20.11.3

[luca.boccassi at gmail.com]

Hi,

FYI, your patch has been queued to stable release 20.11.3

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 07/14/21. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/bluca/dpdk-stable

This queued commit can be viewed at:
https://github.com/bluca/dpdk-stable/commit/f544eab528ffab4fcccd697b770a5336993a23e2

Thanks.

Luca Boccassi

---
>From f544eab528ffab4fcccd697b770a5336993a23e2 Mon Sep 17 00:00:00 2001
From: Owen Hilyard <ohilyard at iol.unh.edu>
Date: Wed, 23 Jun 2021 11:17:29 -0400
Subject: [PATCH] rib: fix max depth IPv6 lookup

[ upstream commit 03b8372a9a73a6b3dce4ce6b447ea37c398a4685 ]

ASAN found a stack buffer overflow in lib/rib/rte_rib6.c:get_dir.
The fix for the stack buffer overflow was to make sure depth
was always < 128, since when depth = 128 it caused the index
into the ip address to be 16, which read off the end of the array.

While trying to solve the buffer overflow, I noticed that a few
changes could be made to remove the for loop entirely.

Fixes: f7e861e21c46 ("rib: support IPv6")

Signed-off-by: Owen Hilyard <ohilyard at iol.unh.edu>
Acked-by: Vladimir Medvedkin <vladimir.medvedkin at intel.com>
---
 lib/librte_rib/rte_rib6.c | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/lib/librte_rib/rte_rib6.c b/lib/librte_rib/rte_rib6.c
index f6c55ee454..96424e9c9f 100644
--- a/lib/librte_rib/rte_rib6.c
+++ b/lib/librte_rib/rte_rib6.c
@@ -79,20 +79,33 @@ is_covered(const uint8_t ip1[RTE_RIB6_IPV6_ADDR_SIZE],
 static inline int
 get_dir(const uint8_t ip[RTE_RIB6_IPV6_ADDR_SIZE], uint8_t depth)
 {
-	int i = 0;
-	uint8_t p_depth, msk;
+	uint8_t index, msk;
 
-	for (p_depth = depth; p_depth >= 8; p_depth -= 8)
-		i++;
+	/*
+	 * depth & 127 clamps depth to values that will not
+	 * read off the end of ip.
+	 * depth is the number of bits deep into ip to traverse, and
+	 * is incremented in blocks of 8 (1 byte). This means the last
+	 * 3 bits are irrelevant to what the index of ip should be.
+	 */
+	index = (depth & (UINT8_MAX - 1)) / CHAR_BIT;
 
-	msk = 1 << (7 - p_depth);
-	return (ip[i] & msk) != 0;
+	/*
+	 * msk is the bitmask used to extract the bit used to decide the
+	 * direction of the next step of the binary search.
+	 */
+	msk = 1 << (7 - (depth & 7));
+
+	return (ip[index] & msk) != 0;
 }
 
 static inline struct rte_rib6_node *
 get_nxt_node(struct rte_rib6_node *node,
 	const uint8_t ip[RTE_RIB6_IPV6_ADDR_SIZE])
 {
+	if (node->depth == RIB6_MAXDEPTH)
+		return NULL;
+
 	return (get_dir(ip, node->depth)) ? node->right : node->left;
 }
 
-- 
2.30.2

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2021-07-12 13:41:38.477712027 +0100
+++ 0034-rib-fix-max-depth-IPv6-lookup.patch	2021-07-12 13:41:36.298118611 +0100
@@ -1 +1 @@
-From 03b8372a9a73a6b3dce4ce6b447ea37c398a4685 Mon Sep 17 00:00:00 2001
+From f544eab528ffab4fcccd697b770a5336993a23e2 Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit 03b8372a9a73a6b3dce4ce6b447ea37c398a4685 ]
+
@@ -15 +16,0 @@
-Cc: stable at dpdk.org
@@ -20 +21 @@
- lib/rib/rte_rib6.c | 25 +++++++++++++++++++------
+ lib/librte_rib/rte_rib6.c | 25 +++++++++++++++++++------
@@ -23 +24 @@
-diff --git a/lib/rib/rte_rib6.c b/lib/rib/rte_rib6.c
+diff --git a/lib/librte_rib/rte_rib6.c b/lib/librte_rib/rte_rib6.c
@@ -25,2 +26,2 @@
---- a/lib/rib/rte_rib6.c
-+++ b/lib/rib/rte_rib6.c
+--- a/lib/librte_rib/rte_rib6.c
++++ b/lib/librte_rib/rte_rib6.c