Laurent Jacquot pointed out another bug in UDP forwarding that turned out to also be a nasty buffer overrun. Fix that, and make a minor cleanup alongside while we're at it. Link: https://bugs.passt.top/show_bug.cgi?id=80 David Gibson (2): udp: Assertion in udp_invert_portmap() can be calculated at compile time udp: Fix 16-bit overflow in udp_invert_portmap() udp.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) -- 2.43.2
All the values in this ASSERT() are known at compile time, so this can be
converted to a static_assert().
Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au>
---
udp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/udp.c b/udp.c
index 933f24b8..c031a053 100644
--- a/udp.c
+++ b/udp.c
@@ -260,7 +260,8 @@ static void udp_invert_portmap(struct udp_port_fwd *fwd)
{
int i;
- ASSERT(ARRAY_SIZE(fwd->f.delta) == ARRAY_SIZE(fwd->rdelta));
+ static_assert(ARRAY_SIZE(fwd->f.delta) == ARRAY_SIZE(fwd->rdelta),
+ "Forward and reverse delta arrays must have same size");
for (i = 0; i < ARRAY_SIZE(fwd->f.delta); i++) {
in_port_t delta = fwd->f.delta[i];
--
2.43.2
The code in udp_invert_portmap() is written based on an incorrect understanding of C's (arcane) integer promotion rules. We calculate '(in_port_t)i + delta' expecting the result to be of type in_port_t (16 bits). However "small integer types" (those narrower than 'int') are always promoted to int for expressions, meaning this calculation can overrun the rdelta[] array. Fix this, and use a new intermediate for the index, to make it very clear what it's type is. We also change i to unsigned, to avoid any possible confusion from mixing signed and unsigned types. Link: https://bugs.passt.top/show_bug.cgi?id=80 Reported-by: Laurent Jacquot <jk(a)lutty.net> Suggested-by: Laurent Jacquot <jk(a)lutty.net> Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au> --- udp.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/udp.c b/udp.c index c031a053..a3961bfd 100644 --- a/udp.c +++ b/udp.c @@ -258,15 +258,16 @@ void udp_portmap_clear(void) */ static void udp_invert_portmap(struct udp_port_fwd *fwd) { - int i; + unsigned int i; static_assert(ARRAY_SIZE(fwd->f.delta) == ARRAY_SIZE(fwd->rdelta), "Forward and reverse delta arrays must have same size"); for (i = 0; i < ARRAY_SIZE(fwd->f.delta); i++) { in_port_t delta = fwd->f.delta[i]; + in_port_t rport = i + delta; if (delta) - fwd->rdelta[(in_port_t)i + delta] = NUM_PORTS - delta; + fwd->rdelta[rport] = NUM_PORTS - delta; } } -- 2.43.2
On Tue, 20 Feb 2024 13:48:22 +1100 David Gibson <david(a)gibson.dropbear.id.au> wrote:Laurent Jacquot pointed out another bug in UDP forwarding that turned out to also be a nasty buffer overrun. Fix that, and make a minor cleanup alongside while we're at it. Link: https://bugs.passt.top/show_bug.cgi?id=80 David Gibson (2): udp: Assertion in udp_invert_portmap() can be calculated at compile time udp: Fix 16-bit overflow in udp_invert_portmap()Applied. -- Stefano