[PATCH 0/2] Fix buffer overrun in UDP setup (bug 80)
Laurent Jacquot pointed out another bug in UDP forwarding that turned out to also be a nasty buffer overrun. Fix that, and make a minor cleanup alongside while we're at it. Link: https://bugs.passt.top/show_bug.cgi?id=80 David Gibson (2): udp: Assertion in udp_invert_portmap() can be calculated at compile time udp: Fix 16-bit overflow in udp_invert_portmap() udp.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) -- 2.43.2
All the values in this ASSERT() are known at compile time, so this can be
converted to a static_assert().
Signed-off-by: David Gibson
The code in udp_invert_portmap() is written based on an incorrect
understanding of C's (arcane) integer promotion rules. We calculate
'(in_port_t)i + delta' expecting the result to be of type in_port_t (16
bits). However "small integer types" (those narrower than 'int') are
always promoted to int for expressions, meaning this calculation can
overrun the rdelta[] array.
Fix this, and use a new intermediate for the index, to make it very clear
what it's type is. We also change i to unsigned, to avoid any possible
confusion from mixing signed and unsigned types.
Link: https://bugs.passt.top/show_bug.cgi?id=80
Reported-by: Laurent Jacquot
On Tue, 20 Feb 2024 13:48:22 +1100
David Gibson
Laurent Jacquot pointed out another bug in UDP forwarding that turned out to also be a nasty buffer overrun. Fix that, and make a minor cleanup alongside while we're at it.
Link: https://bugs.passt.top/show_bug.cgi?id=80
David Gibson (2): udp: Assertion in udp_invert_portmap() can be calculated at compile time udp: Fix 16-bit overflow in udp_invert_portmap()
Applied. -- Stefano
participants (2)
-
David Gibson
-
Stefano Brivio