From: David Gibson <david@gibson.dropbear.id.au>
To: passt-dev@passt.top
Subject: [PATCH v2 7/8] Fix widespread off-by-one error dealing with port numbers
Date: Sat, 24 Sep 2022 19:08:22 +1000 [thread overview]
Message-ID: <20220924090823.1873052-8-david@gibson.dropbear.id.au> (raw)
In-Reply-To: <20220924090823.1873052-1-david@gibson.dropbear.id.au>
[-- Attachment #1: Type: text/plain, Size: 5927 bytes --]
Port numbers (for both TCP and UDP) are 16-bit, and so fit exactly into a
'short'. USHRT_MAX is therefore the maximum port number and this is widely
used in the code. Unfortunately, a lot of those places don't actually
want the maximum port number (USHRT_MAX == 65535), they want the total
number of ports (65536). This leads to a number of potentially nasty
consequences:
* We have buffer overruns on the port_fwd::delta array if we try to use
port 65535
* We have similar potential overruns for the tcp_sock_* arrays
* Interestingly udp_act had the correct size, but we can calculate it in
a more direct manner
* We have a logical overrun of the ports bitmap as well, although it will
just use an unused bit in the last byte so isnt harmful
* Many loops don't consider port 65535 (which does mitigate some but not
all of the buffer overruns above)
* In udp_invert_portmap() we incorrectly compute the reverse port
translation for return packets
Correct all these by using a new NUM_PORTS defined explicitly for this
purpose.
Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au>
---
conf.c | 4 ++--
port_fwd.h | 7 +++++--
tcp.c | 12 ++++++------
udp.c | 10 +++++-----
udp.h | 2 +-
5 files changed, 19 insertions(+), 16 deletions(-)
diff --git a/conf.c b/conf.c
index 4e86508..993f840 100644
--- a/conf.c
+++ b/conf.c
@@ -209,7 +209,7 @@ static int conf_ports(const struct ctx *c, char optname, const char *optarg,
if (sep == p)
break;
- if (port > USHRT_MAX || errno)
+ if (port >= NUM_PORTS || errno)
goto bad;
switch (*sep) {
@@ -276,7 +276,7 @@ static int conf_ports(const struct ctx *c, char optname, const char *optarg,
if (sep == p)
break;
- if (port > USHRT_MAX || errno)
+ if (port >= NUM_PORTS || errno)
goto bad;
/* -p 22
diff --git a/port_fwd.h b/port_fwd.h
index 7e6a7d7..6f55e19 100644
--- a/port_fwd.h
+++ b/port_fwd.h
@@ -7,6 +7,9 @@
#ifndef PORT_FWD_H
#define PORT_FWD_H
+/* Number of ports for both TCP and UDP */
+#define NUM_PORTS (1U << 16)
+
enum port_fwd_mode {
FWD_SPEC = 1,
FWD_NONE,
@@ -14,7 +17,7 @@ enum port_fwd_mode {
FWD_ALL,
};
-#define PORT_BITMAP_SIZE DIV_ROUND_UP(USHRT_MAX, 8)
+#define PORT_BITMAP_SIZE DIV_ROUND_UP(NUM_PORTS, 8)
/**
* port_fwd - Describes port forwarding for one protocol and direction
@@ -25,7 +28,7 @@ enum port_fwd_mode {
struct port_fwd {
enum port_fwd_mode mode;
uint8_t map[PORT_BITMAP_SIZE];
- in_port_t delta[USHRT_MAX];
+ in_port_t delta[NUM_PORTS];
};
#endif /* PORT_FWD_H */
diff --git a/tcp.c b/tcp.c
index d96232c..e45dfda 100644
--- a/tcp.c
+++ b/tcp.c
@@ -547,9 +547,9 @@ static const char *tcp_flag_str[] __attribute((__unused__)) = {
};
/* Listening sockets, used for automatic port forwarding in pasta mode only */
-static int tcp_sock_init_lo [USHRT_MAX][IP_VERSIONS];
-static int tcp_sock_init_ext [USHRT_MAX][IP_VERSIONS];
-static int tcp_sock_ns [USHRT_MAX][IP_VERSIONS];
+static int tcp_sock_init_lo [NUM_PORTS][IP_VERSIONS];
+static int tcp_sock_init_ext [NUM_PORTS][IP_VERSIONS];
+static int tcp_sock_ns [NUM_PORTS][IP_VERSIONS];
/* Table of destinations with very low RTT (assumed to be local), LRU */
static struct in6_addr low_rtt_dst[LOW_RTT_TABLE_SIZE];
@@ -3186,7 +3186,7 @@ static int tcp_sock_init_ns(void *arg)
ns_enter(c);
- for (port = 0; port < USHRT_MAX; port++) {
+ for (port = 0; port < NUM_PORTS; port++) {
if (!bitmap_isset(c->tcp.fwd_out.map, port))
continue;
@@ -3386,7 +3386,7 @@ static int tcp_port_rebind(void *arg)
if (a->bind_in_ns) {
ns_enter(a->c);
- for (port = 0; port < USHRT_MAX; port++) {
+ for (port = 0; port < NUM_PORTS; port++) {
if (!bitmap_isset(a->c->tcp.fwd_out.map, port)) {
if (tcp_sock_ns[port][V4] >= 0) {
close(tcp_sock_ns[port][V4]);
@@ -3410,7 +3410,7 @@ static int tcp_port_rebind(void *arg)
tcp_sock_init(a->c, 1, AF_UNSPEC, NULL, port);
}
} else {
- for (port = 0; port < USHRT_MAX; port++) {
+ for (port = 0; port < NUM_PORTS; port++) {
if (!bitmap_isset(a->c->tcp.fwd_in.map, port)) {
if (tcp_sock_init_ext[port][V4] >= 0) {
close(tcp_sock_init_ext[port][V4]);
diff --git a/udp.c b/udp.c
index 27c3aa3..bd3dc72 100644
--- a/udp.c
+++ b/udp.c
@@ -164,8 +164,8 @@ struct udp_splice_port {
};
/* Port tracking, arrays indexed by packet source port (host order) */
-static struct udp_tap_port udp_tap_map [IP_VERSIONS][USHRT_MAX];
-static struct udp_splice_port udp_splice_map [IP_VERSIONS][USHRT_MAX];
+static struct udp_tap_port udp_tap_map [IP_VERSIONS][NUM_PORTS];
+static struct udp_splice_port udp_splice_map [IP_VERSIONS][NUM_PORTS];
enum udp_act_type {
UDP_ACT_TAP,
@@ -175,7 +175,7 @@ enum udp_act_type {
};
/* Activity-based aging for bindings */
-static uint8_t udp_act[IP_VERSIONS][UDP_ACT_TYPE_MAX][(USHRT_MAX + 1) / 8];
+static uint8_t udp_act[IP_VERSIONS][UDP_ACT_TYPE_MAX][DIV_ROUND_UP(NUM_PORTS, 8)];
/* Static buffers */
@@ -271,7 +271,7 @@ static void udp_invert_portmap(struct udp_port_fwd *fwd)
in_port_t delta = fwd->f.delta[i];
if (delta)
- fwd->rdelta[(in_port_t)i + delta] = USHRT_MAX - delta;
+ fwd->rdelta[(in_port_t)i + delta] = NUM_PORTS - delta;
}
}
@@ -1198,7 +1198,7 @@ int udp_sock_init_ns(void *arg)
if (ns_enter(c))
return 0;
- for (dst = 0; dst < USHRT_MAX; dst++) {
+ for (dst = 0; dst < NUM_PORTS; dst++) {
if (!bitmap_isset(c->udp.fwd_out.f.map, dst))
continue;
diff --git a/udp.h b/udp.h
index bc7b259..d14df0a 100644
--- a/udp.h
+++ b/udp.h
@@ -50,7 +50,7 @@ union udp_epoll_ref {
*/
struct udp_port_fwd {
struct port_fwd f;
- in_port_t rdelta[USHRT_MAX];
+ in_port_t rdelta[NUM_PORTS];
};
/**
--
@@ -50,7 +50,7 @@ union udp_epoll_ref {
*/
struct udp_port_fwd {
struct port_fwd f;
- in_port_t rdelta[USHRT_MAX];
+ in_port_t rdelta[NUM_PORTS];
};
/**
--
2.37.3
next prev parent reply other threads:[~2022-09-24 9:08 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-24 9:08 [PATCH v2 0/8] Clean up and fix bugs in port forwarding data structures David Gibson
2022-09-24 9:08 ` [PATCH v2 1/8] Improve types and names for port forwarding configuration David Gibson
2022-09-24 11:25 ` Stefano Brivio
2022-09-24 9:08 ` [PATCH v2 2/8] Consolidate port forwarding configuration into a common structure David Gibson
2022-09-24 9:08 ` [PATCH v2 3/8] udp: Delay initialization of UDP reversed port mapping table David Gibson
2022-09-24 9:08 ` [PATCH v2 4/8] Don't use indirect remap functions for conf_ports() David Gibson
2022-09-24 9:08 ` [PATCH v2 5/8] Pass entire port forwarding configuration substructure to conf_ports() David Gibson
2022-09-24 9:08 ` [PATCH v2 6/8] Treat port numbers as unsigned David Gibson
2022-09-24 9:08 ` David Gibson [this message]
2022-09-24 9:08 ` [PATCH v2 8/8] icmp: Correct off by one errors dealing with number of echo request ids David Gibson
2022-09-24 20:25 ` [PATCH v2 0/8] Clean up and fix bugs in port forwarding data structures Stefano Brivio
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220924090823.1873052-8-david@gibson.dropbear.id.au \
--to=david@gibson.dropbear.id.au \
--cc=passt-dev@passt.top \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).