From mboxrd@z Thu Jan  1 00:00:00 1970
From: Stefano Brivio <sbrivio@redhat.com>
To: passt-dev@passt.top
Subject: [PATCH 14/16] tcp: False "Out-of-bounds read" positive, CWE-125
Date: Tue, 05 Apr 2022 19:05:12 +0200
Message-ID: <20220405170514.2963773-15-sbrivio@redhat.com>
In-Reply-To: <20220405170514.2963773-1-sbrivio@redhat.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8407448252373453140=="

--===============8407448252373453140==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Reported by Coverity: it doesn't see that tcp{4,6}_l2_buf_used are
set to zero by tcp_l2_data_buf_flush(), repeat that explicitly here.

Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com>
---
 tcp.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/tcp.c b/tcp.c
index 13a108e..ad10688 100644
--- a/tcp.c
+++ b/tcp.c
@@ -2394,9 +2394,13 @@ static int tcp_data_from_sock(struct ctx *c, struct tc=
p_conn *conn)
 	iov_sock[0].iov_len =3D already_sent;
=20
 	if (( v4 && tcp4_l2_buf_used + fill_bufs > ARRAY_SIZE(tcp4_l2_buf)) ||
-	    (!v4 && tcp6_l2_buf_used + fill_bufs > ARRAY_SIZE(tcp6_l2_buf)))
+	    (!v4 && tcp6_l2_buf_used + fill_bufs > ARRAY_SIZE(tcp6_l2_buf))) {
 		tcp_l2_data_buf_flush(c);
=20
+		/* Silence Coverity CWE-125 false positive */
+		tcp4_l2_buf_used =3D tcp6_l2_buf_used =3D 0;
+	}
+
 	for (i =3D 0, iov =3D iov_sock + 1; i < fill_bufs; i++, iov++) {
 		if (v4)
 			iov->iov_base =3D &tcp4_l2_buf[tcp4_l2_buf_used + i].data;
--=20
2.35.1


--===============8407448252373453140==--