[dpdk-stable] patch 'lpm6: fix buffer overflow' has been queued to stable release 20.11.4

[Xueming Li]

Hi,

FYI, your patch has been queued to stable release 20.11.4

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 11/12/21. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/steevenlee/dpdk

This queued commit can be viewed at:
https://github.com/steevenlee/dpdk/commit/d7d89ada026b295b577d0e93c55c383609825ff9
the

Thanks.

Xueming Li <xuemingl at nvidia.com>

---
>From d7d89ada026b295b577d0e93c55c383609825ff9 Mon Sep 17 00:00:00 2001
From: Vladimir Medvedkin <vladimir.medvedkin at intel.com>
Date: Thu, 21 Oct 2021 18:15:49 +0100
Subject: [PATCH] lpm6: fix buffer overflow
Cc: Xueming Li <xuemingl at nvidia.com>

[ upstream commit b16ac536573869ba3afd724947bfa9abbd477f86 ]

This patch fixes buffer overflow reported by ASAN,
please reference https://bugs.dpdk.org/show_bug.cgi?id=819

The rte_lpm6 keeps routing information for control plane purpose
inside the rte_hash table which uses rte_jhash() as a hash function.
>From the rte_jhash() documentation: If input key is not aligned to
four byte boundaries or a multiple of four bytes in length,
the memory region just after may be read (but not used in the
computation).
rte_lpm6 uses 17 bytes keys consisting of IPv6 address (16 bytes) +
depth (1 byte).

This patch increases the size of the depth field up to uint32_t
and sets the alignment to 4 bytes.

Bugzilla ID: 819
Fixes: 86b3b21952a8 ("lpm6: store rules in hash table")

Signed-off-by: Vladimir Medvedkin <vladimir.medvedkin at intel.com>
Acked-by: Bruce Richardson <bruce.richardson at intel.com>
---
 lib/librte_lpm/rte_lpm6.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/librte_lpm/rte_lpm6.c b/lib/librte_lpm/rte_lpm6.c
index 37baabb26d..73768fc956 100644
--- a/lib/librte_lpm/rte_lpm6.c
+++ b/lib/librte_lpm/rte_lpm6.c
@@ -80,7 +80,7 @@ struct rte_lpm6_rule {
 /** Rules tbl entry key. */
 struct rte_lpm6_rule_key {
 	uint8_t ip[RTE_LPM6_IPV6_ADDR_SIZE]; /**< Rule IP address. */
-	uint8_t depth; /**< Rule depth. */
+	uint32_t depth; /**< Rule depth. */
 };
 
 /* Header of tbl8 */
@@ -259,6 +259,8 @@ rte_lpm6_create(const char *name, int socket_id,
 	lpm_list = RTE_TAILQ_CAST(rte_lpm6_tailq.head, rte_lpm6_list);
 
 	RTE_BUILD_BUG_ON(sizeof(struct rte_lpm6_tbl_entry) != sizeof(uint32_t));
+	RTE_BUILD_BUG_ON(sizeof(struct rte_lpm6_rule_key) %
+		sizeof(uint32_t) != 0);
 
 	/* Check user arguments. */
 	if ((name == NULL) || (socket_id < -1) || (config == NULL) ||
-- 
2.33.0

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2021-11-10 14:17:10.519219201 +0800
+++ 0194-lpm6-fix-buffer-overflow.patch	2021-11-10 14:17:02.000745027 +0800
@@ -1 +1 @@
-From b16ac536573869ba3afd724947bfa9abbd477f86 Mon Sep 17 00:00:00 2001
+From d7d89ada026b295b577d0e93c55c383609825ff9 Mon Sep 17 00:00:00 2001
@@ -4,0 +5,3 @@
+Cc: Xueming Li <xuemingl at nvidia.com>
+
+[ upstream commit b16ac536573869ba3afd724947bfa9abbd477f86 ]
@@ -23 +25,0 @@
-Cc: stable at dpdk.org
@@ -28 +30 @@
- lib/lpm/rte_lpm6.c | 4 +++-
+ lib/librte_lpm/rte_lpm6.c | 4 +++-
@@ -31 +33 @@
-diff --git a/lib/lpm/rte_lpm6.c b/lib/lpm/rte_lpm6.c
+diff --git a/lib/librte_lpm/rte_lpm6.c b/lib/librte_lpm/rte_lpm6.c
@@ -33,2 +35,2 @@
---- a/lib/lpm/rte_lpm6.c
-+++ b/lib/lpm/rte_lpm6.c
+--- a/lib/librte_lpm/rte_lpm6.c
++++ b/lib/librte_lpm/rte_lpm6.c