patch 'examples/ipsec-secgw: fix partial overflow' has been queued to stable release 20.11.10

luca.boccassi at gmail.com luca.boccassi at gmail.com
Thu Nov 23 17:17:04 CET 2023


Hi,

FYI, your patch has been queued to stable release 20.11.10

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 11/25/23. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/bluca/dpdk-stable

This queued commit can be viewed at:
https://github.com/bluca/dpdk-stable/commit/b7030fdd80bc8f64af4d5ec43c89f1658e1b49ce

Thanks.

Luca Boccassi

---
>From b7030fdd80bc8f64af4d5ec43c89f1658e1b49ce Mon Sep 17 00:00:00 2001
From: Brian Dooley <brian.dooley at intel.com>
Date: Wed, 15 Nov 2023 12:31:01 +0000
Subject: [PATCH] examples/ipsec-secgw: fix partial overflow

[ upstream commit ae9267a67e9030c1b069b0df69924aaca17683bb ]

Case of partial overflow detected with ASan.
Added extra padding to cdev_key structure.

This structure is used for the key in hash table.
Padding is added to force the struct to use 8 bytes,
to ensure memory is notread past this structs boundary
(the hash key calculation reads 8 bytes if this struct is size 5 bytes).
The padding should be zeroed.
If fields are modified in this struct, the padding must be updated to
ensure multiple of 8 bytes size overall.

Fixes: d299106e8e31 ("examples/ipsec-secgw: add IPsec sample application")

Signed-off-by: Brian Dooley <brian.dooley at intel.com>
---
 examples/ipsec-secgw/ipsec.h | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
index 7031e28c46..19d94519b1 100644
--- a/examples/ipsec-secgw/ipsec.h
+++ b/examples/ipsec-secgw/ipsec.h
@@ -224,11 +224,18 @@ struct ipsec_ctx {
 	uint64_t ipv6_offloads;
 };
 
+/*
+ * This structure is used for the key in hash table.
+ * Padding is to force the struct to use 8 bytes,
+ * to ensure memory is not read past this structs boundary
+ * (hash key calculation reads 8 bytes if this struct is size 5 bytes).
+ */
 struct cdev_key {
 	uint16_t lcore_id;
 	uint8_t cipher_algo;
 	uint8_t auth_algo;
 	uint8_t aead_algo;
+	uint8_t padding[3]; /* padding to 8-byte size should be zeroed */
 };
 
 struct socket_ctx {
-- 
2.39.2

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2023-11-23 16:15:19.381887126 +0000
+++ 0004-examples-ipsec-secgw-fix-partial-overflow.patch	2023-11-23 16:15:19.215058380 +0000
@@ -1 +1 @@
-From ae9267a67e9030c1b069b0df69924aaca17683bb Mon Sep 17 00:00:00 2001
+From b7030fdd80bc8f64af4d5ec43c89f1658e1b49ce Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit ae9267a67e9030c1b069b0df69924aaca17683bb ]
+
@@ -18 +19,0 @@
-Cc: stable at dpdk.org
@@ -26 +27 @@
-index 5059418456..bdcada1c40 100644
+index 7031e28c46..19d94519b1 100644
@@ -29,3 +30,3 @@
-@@ -249,11 +249,18 @@ struct offloads {
- 
- extern struct offloads tx_offloads;
+@@ -224,11 +224,18 @@ struct ipsec_ctx {
+ 	uint64_t ipv6_offloads;
+ };


More information about the stable mailing list