patch 'lpm6: fix buffer overflow' has been queued to stable release 19.11.11
christian.ehrhardt at canonical.com
christian.ehrhardt at canonical.com
Tue Nov 30 17:35:07 CET 2021
Hi,
FYI, your patch has been queued to stable release 19.11.11
Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before December 10th 2021. So please
shout if anyone has objections.
Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.
Queued patches are on a temporary branch at:
https://github.com/cpaelzer/dpdk-stable-queue
This queued commit can be viewed at:
https://github.com/cpaelzer/dpdk-stable-queue/commit/b34c6b450317d5a58342ccda5b1a16ee98bf3c85
the
Thanks.
Christian Ehrhardt <christian.ehrhardt at canonical.com>
---
>From b34c6b450317d5a58342ccda5b1a16ee98bf3c85 Mon Sep 17 00:00:00 2001
From: Vladimir Medvedkin <vladimir.medvedkin at intel.com>
Date: Thu, 21 Oct 2021 18:15:49 +0100
Subject: [PATCH] lpm6: fix buffer overflow
[ upstream commit b16ac536573869ba3afd724947bfa9abbd477f86 ]
This patch fixes buffer overflow reported by ASAN,
please reference https://bugs.dpdk.org/show_bug.cgi?id=819
The rte_lpm6 keeps routing information for control plane purpose
inside the rte_hash table which uses rte_jhash() as a hash function.
>From the rte_jhash() documentation: If input key is not aligned to
four byte boundaries or a multiple of four bytes in length,
the memory region just after may be read (but not used in the
computation).
rte_lpm6 uses 17 bytes keys consisting of IPv6 address (16 bytes) +
depth (1 byte).
This patch increases the size of the depth field up to uint32_t
and sets the alignment to 4 bytes.
Bugzilla ID: 819
Fixes: 86b3b21952a8 ("lpm6: store rules in hash table")
Signed-off-by: Vladimir Medvedkin <vladimir.medvedkin at intel.com>
Acked-by: Bruce Richardson <bruce.richardson at intel.com>
---
lib/librte_lpm/rte_lpm6.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/lib/librte_lpm/rte_lpm6.c b/lib/librte_lpm/rte_lpm6.c
index 6e1b18d6fd..b7a087554e 100644
--- a/lib/librte_lpm/rte_lpm6.c
+++ b/lib/librte_lpm/rte_lpm6.c
@@ -80,7 +80,7 @@ struct rte_lpm6_rule {
/** Rules tbl entry key. */
struct rte_lpm6_rule_key {
uint8_t ip[RTE_LPM6_IPV6_ADDR_SIZE]; /**< Rule IP address. */
- uint8_t depth; /**< Rule depth. */
+ uint32_t depth; /**< Rule depth. */
};
/* Header of tbl8 */
@@ -259,6 +259,8 @@ rte_lpm6_create(const char *name, int socket_id,
lpm_list = RTE_TAILQ_CAST(rte_lpm6_tailq.head, rte_lpm6_list);
RTE_BUILD_BUG_ON(sizeof(struct rte_lpm6_tbl_entry) != sizeof(uint32_t));
+ RTE_BUILD_BUG_ON(sizeof(struct rte_lpm6_rule_key) %
+ sizeof(uint32_t) != 0);
/* Check user arguments. */
if ((name == NULL) || (socket_id < -1) || (config == NULL) ||
--
2.34.0
---
Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- - 2021-11-30 16:50:11.814311884 +0100
+++ 0103-lpm6-fix-buffer-overflow.patch 2021-11-30 16:50:05.906874381 +0100
@@ -1 +1 @@
-From b16ac536573869ba3afd724947bfa9abbd477f86 Mon Sep 17 00:00:00 2001
+From b34c6b450317d5a58342ccda5b1a16ee98bf3c85 Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit b16ac536573869ba3afd724947bfa9abbd477f86 ]
+
@@ -23 +24,0 @@
-Cc: stable at dpdk.org
@@ -28 +29 @@
- lib/lpm/rte_lpm6.c | 4 +++-
+ lib/librte_lpm/rte_lpm6.c | 4 +++-
@@ -31,4 +32,4 @@
-diff --git a/lib/lpm/rte_lpm6.c b/lib/lpm/rte_lpm6.c
-index 37baabb26d..73768fc956 100644
---- a/lib/lpm/rte_lpm6.c
-+++ b/lib/lpm/rte_lpm6.c
+diff --git a/lib/librte_lpm/rte_lpm6.c b/lib/librte_lpm/rte_lpm6.c
+index 6e1b18d6fd..b7a087554e 100644
+--- a/lib/librte_lpm/rte_lpm6.c
++++ b/lib/librte_lpm/rte_lpm6.c
More information about the stable
mailing list