From mboxrd@z Thu Jan  1 00:00:00 1970
From: Stefano Brivio <sbrivio@redhat.com>
To: passt-dev@passt.top
Subject: [PATCH 03/16] tcp: False "Untrusted loop bound" positive, CWE-606
Date: Tue, 05 Apr 2022 19:05:01 +0200
Message-ID: <20220405170514.2963773-4-sbrivio@redhat.com>
In-Reply-To: <20220405170514.2963773-1-sbrivio@redhat.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5749966232797298657=="

--===============5749966232797298657==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Field doff in struct tcp_hdr is 4 bits wide, so optlen in
tcp_tap_handler() is already bound, but make that explicit.
Reported by Coverity.

Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com>
---
 tcp.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tcp.c b/tcp.c
index 1409c53..858eb41 100644
--- a/tcp.c
+++ b/tcp.c
@@ -2716,6 +2716,8 @@ int tcp_tap_handler(struct ctx *c, int af, const void *=
addr,
 		return 1;
=20
 	optlen =3D th->doff * 4UL - sizeof(*th);
+	/* Static checkers might fail to see this: */
+	optlen =3D MIN(optlen, ((1UL << 4) /* from doff width */ - 6) * 4UL);
 	opts =3D packet_get(p, 0, sizeof(*th), optlen, NULL);
=20
 	conn =3D tcp_hash_lookup(c, af, addr, htons(th->source), htons(th->dest));
--=20
2.35.1


--===============5749966232797298657==--