From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Gibson To: passt-dev@passt.top Subject: [PATCH v2 8/8] icmp: Correct off by one errors dealing with number of echo request ids Date: Sat, 24 Sep 2022 19:08:23 +1000 Message-ID: <20220924090823.1873052-9-david@gibson.dropbear.id.au> In-Reply-To: <20220924090823.1873052-1-david@gibson.dropbear.id.au> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8167087774733705154==" --===============8167087774733705154== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit ICMP echo request and reply packets include a 16-bit 'id' value. We have some arrays indexed by this id value. Unfortunately we size those arrays with USHRT_MAX (65535) when they need to be sized by the total number of id values (65536). This could lead to buffer overruns. Resize the arrays correctly, using a new define for the purpose. Signed-off-by: David Gibson --- icmp.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/icmp.c b/icmp.c index 2da8b58..39a8694 100644 --- a/icmp.c +++ b/icmp.c @@ -39,6 +39,7 @@ #include "icmp.h" #define ICMP_ECHO_TIMEOUT 60 /* s, timeout for ICMP socket activity */ +#define ICMP_NUM_IDS (1U << 16) /** * struct icmp_id_sock - Tracking information for single ICMP echo identifier @@ -53,10 +54,10 @@ struct icmp_id_sock { }; /* Indexed by ICMP echo identifier */ -static struct icmp_id_sock icmp_id_map [IP_VERSIONS][USHRT_MAX]; +static struct icmp_id_sock icmp_id_map[IP_VERSIONS][ICMP_NUM_IDS]; /* Bitmaps, activity monitoring needed for identifier */ -static uint8_t icmp_act [IP_VERSIONS][USHRT_MAX / 8]; +static uint8_t icmp_act[IP_VERSIONS][DIV_ROUND_UP(ICMP_NUM_IDS, 8)]; /** * icmp_sock_handler() - Handle new data from socket -- 2.37.3 --===============8167087774733705154==--