diff mbox series

[ovs-dev,2/7] netdev-native-tnl: Fix Coverity integer overflows report.

Message ID ef66fbd9ab21b2f2e37935054b300534397358ee.1724849996.git.echaudro@redhat.com
State Accepted
Commit 4a9c06ba0a571bb6fbd1d02caff85314c18e58b5
Delegated to: Eelco Chaudron
Headers show
Series Series fixing some issues reported by Coverity. | expand

Checks

Context Check Description
ovsrobot/apply-robot success apply and check: success
ovsrobot/github-robot-_Build_and_Test success github build: passed
ovsrobot/github-robot-_Build_and_Test success github build: passed
ovsrobot/intel-ovs-compilation fail test: fail

Commit Message

Eelco Chaudron Aug. 28, 2024, 1:28 p.m. UTC 
Fixed potential integer overflow in netdev_srv6_pop_header(),
by making sure the packet length does at least account for
the IPv6 header.

Fixes: 03fc1ad78521 ("userspace: Add SRv6 tunnel support.")
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
---
 lib/netdev-native-tnl.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

Comments

Aaron Conole Aug. 28, 2024, 2:48 p.m. UTC | #1 
Eelco Chaudron <echaudro@redhat.com> writes:

> Fixed potential integer overflow in netdev_srv6_pop_header(),
> by making sure the packet length does at least account for
> the IPv6 header.
>
> Fixes: 03fc1ad78521 ("userspace: Add SRv6 tunnel support.")
> Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
> ---

Acked-by: Aaron Conole <aconole@redhat.com>

>  lib/netdev-native-tnl.c | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/lib/netdev-native-tnl.c b/lib/netdev-native-tnl.c
> index 16c56608d..92081d5e3 100644
> --- a/lib/netdev-native-tnl.c
> +++ b/lib/netdev-native-tnl.c
> @@ -990,7 +990,6 @@ struct dp_packet *
>  netdev_srv6_pop_header(struct dp_packet *packet)
>  {
>      const struct ovs_16aligned_ip6_hdr *nh = dp_packet_l3(packet);
> -    size_t size = dp_packet_l3_size(packet) - IPV6_HEADER_LEN;
>      struct pkt_metadata *md = &packet->md;
>      struct flow_tnl *tnl = &md->tunnel;
>      const struct ip6_rt_hdr *rt_hdr;
> @@ -998,11 +997,18 @@ netdev_srv6_pop_header(struct dp_packet *packet)
>      const void *data = nh + 1;
>      uint8_t nw_frag = 0;
>      unsigned int hlen;
> +    size_t size;
>  
>      /*
>       * Verifies that the routing header is present in the IPv6
>       * extension headers and that its type is SRv6.
>       */
> +    size = dp_packet_l3_size(packet);
> +    if (size < IPV6_HEADER_LEN) {
> +        goto err;
> +    }
> +    size -= IPV6_HEADER_LEN;
> +
>      if (!parse_ipv6_ext_hdrs(&data, &size, &nw_proto, &nw_frag,
>                               NULL, &rt_hdr)) {
>          goto err;
diff mbox series

Patch

diff --git a/lib/netdev-native-tnl.c b/lib/netdev-native-tnl.c
index 16c56608d..92081d5e3 100644
--- a/lib/netdev-native-tnl.c
+++ b/lib/netdev-native-tnl.c
@@ -990,7 +990,6 @@  struct dp_packet *
 netdev_srv6_pop_header(struct dp_packet *packet)
 {
     const struct ovs_16aligned_ip6_hdr *nh = dp_packet_l3(packet);
-    size_t size = dp_packet_l3_size(packet) - IPV6_HEADER_LEN;
     struct pkt_metadata *md = &packet->md;
     struct flow_tnl *tnl = &md->tunnel;
     const struct ip6_rt_hdr *rt_hdr;
@@ -998,11 +997,18 @@  netdev_srv6_pop_header(struct dp_packet *packet)
     const void *data = nh + 1;
     uint8_t nw_frag = 0;
     unsigned int hlen;
+    size_t size;
 
     /*
      * Verifies that the routing header is present in the IPv6
      * extension headers and that its type is SRv6.
      */
+    size = dp_packet_l3_size(packet);
+    if (size < IPV6_HEADER_LEN) {
+        goto err;
+    }
+    size -= IPV6_HEADER_LEN;
+
     if (!parse_ipv6_ext_hdrs(&data, &size, &nw_proto, &nw_frag,
                              NULL, &rt_hdr)) {
         goto err;