Uploaded image for project: 'Fast Datapath Product'
  1. Fast Datapath Product
  2. FDP-1122

Buffer overrun in netdev-offload-dpdk

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • None
    • None
    • openvswitch3.5
    • 3
    • False
    • Hide

      None

      Show
      None
    • False
    • Hide

      Given a VXLAN packet is processed by the offload code,

      When the code reads or writes the VNI field,

      Then it must only access the allocated 3 bytes without overrunning into the reserved byte.

      Show
      Given a VXLAN packet is processed by the offload code, When the code reads or writes the VNI field, Then it must only access the allocated 3 bytes without overrunning into the reserved byte.
    • rhel-10
    • rhel-sst-network-fastdatapath
    • ssg_networking

      Scanhub has identified the following series of minor buffer overruns in vxlan processing code.

      The target variable - vni - is 3 bytes but 32bit read/write functions are used. There's a reserved byte following the vni which should be zero, so this issue isn't significant. But this it should still be fixed.

       

      1. Defect type: OVERRUN
2. lib/netdev-offload-dpdk.c:1305:5: overrun-local: Overrunning array of 3 bytes at byte offset 3 by dereferencing pointer "(ovs_be32 *)(void *)(*vx_mask).vni".
#  1303|       put_unaligned_be32(ALIGNED_CAST(ovs_be32 *, vx_spec->vni),
#  1304|                          htonl(ntohll(match->flow.tunnel.tun_id) << 8));
#  1305|->     put_unaligned_be32(ALIGNED_CAST(ovs_be32 *, vx_mask->vni),
#  1306|                          htonl(ntohll(match->wc.masks.tunnel.tun_id) << 8));
#  1307|
Collapse
2. Defect type: OVERRUN
2. lib/netdev-offload-dpdk.c:1303:5: overrun-local: Overrunning array of 3 bytes at byte offset 3 by dereferencing pointer "(ovs_be32 *)(void *)(*vx_spec).vni".
#  1301|       vx_mask = xzalloc(sizeof *vx_mask);
#  1302|
#  1303|->     put_unaligned_be32(ALIGNED_CAST(ovs_be32 *, vx_spec->vni),
#  1304|                          htonl(ntohll(match->flow.tunnel.tun_id) << 8));
#  1305|       put_unaligned_be32(ALIGNED_CAST(ovs_be32 *, vx_mask->vni),
Collapse
3. Defect type: OVERRUN
39. lib/netdev-offload-dpdk.c:698:9: overrun-local: Overrunning array of 3 bytes at byte offset 3 by dereferencing pointer "(ovs_be32 *)(void *)(*vxlan).vni".
#   696|           ovs_be32 vni;
#   697|
#   698|->         vni = get_unaligned_be32(ALIGNED_CAST(ovs_be32 *,
#   699|                                                 vxlan->vni));
#   700|           ds_put_format(s, "vni %"PRIu32" ", ntohl(vni) >> 8);
Collapse
4. Defect type: OVERRUN
17. lib/netdev-offload-dpdk.c:619:13: overrun-local: Overrunning array of 3 bytes at byte offset 3 by dereferencing pointer "(ovs_be32 *)(void *)(*vxlan_mask).vni".
#   617|               spec_vni = get_unaligned_be32(ALIGNED_CAST(ovs_be32 *,
#   618|                                                          vxlan_spec->vni));
#   619|->             mask_vni = get_unaligned_be32(ALIGNED_CAST(ovs_be32 *,
#   620|                                                          vxlan_mask->vni));
#   621|               DUMP_PATTERN_ITEM(vxlan_mask->vni, false, "vni", "%"PRIu32,
Collapse
5. Defect type: OVERRUN
17. lib/netdev-offload-dpdk.c:617:13: overrun-local: Overrunning array of 3 bytes at byte offset 3 by dereferencing pointer "(ovs_be32 *)(void *)(*vxlan_spec).vni".
#   615|                   vxlan_mask = &rte_flow_item_vxlan_mask;
#   616|               }
#   617|->             spec_vni = get_unaligned_be32(ALIGNED_CAST(ovs_be32 *,
#   618|                                                          vxlan_spec->vni));
#   619|               mask_vni = get_unaligned_be32(ALIGNED_CAST(ovs_be32 *,

       

       

       

              ovsdpdk-triage ovsdpdk triage
              rh-ee-mpattric Mike Pattrick
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: