From mboxrd@z Thu Jan 1 00:00:00 1970 From: Stefano Brivio To: passt-dev@passt.top Subject: [PATCH 03/16] tcp: False "Untrusted loop bound" positive, CWE-606 Date: Tue, 05 Apr 2022 19:05:01 +0200 Message-ID: <20220405170514.2963773-4-sbrivio@redhat.com> In-Reply-To: <20220405170514.2963773-1-sbrivio@redhat.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5749966232797298657==" --===============5749966232797298657== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Field doff in struct tcp_hdr is 4 bits wide, so optlen in tcp_tap_handler() is already bound, but make that explicit. Reported by Coverity. Signed-off-by: Stefano Brivio --- tcp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tcp.c b/tcp.c index 1409c53..858eb41 100644 --- a/tcp.c +++ b/tcp.c @@ -2716,6 +2716,8 @@ int tcp_tap_handler(struct ctx *c, int af, const void *= addr, return 1; =20 optlen =3D th->doff * 4UL - sizeof(*th); + /* Static checkers might fail to see this: */ + optlen =3D MIN(optlen, ((1UL << 4) /* from doff width */ - 6) * 4UL); opts =3D packet_get(p, 0, sizeof(*th), optlen, NULL); =20 conn =3D tcp_hash_lookup(c, af, addr, htons(th->source), htons(th->dest)); --=20 2.35.1 --===============5749966232797298657==--