From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from gandalf.ozlabs.org (gandalf.ozlabs.org [150.107.74.76]) by passt.top (Postfix) with ESMTPS id 574415A0275 for ; Tue, 20 Feb 2024 03:48:30 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202312; t=1708397306; bh=kBUcQHjr7OpIZjp6kfqWfW6LqolJa1RaAu42gHFNEpo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=cUev7ioWY/U5JFsw+Fhiy2OHse7JZY6U6y3mj0A8OfGnUbwhEQY2cptL2lwCl2f6J x5dsK36N4pqJI2scMs8x4PbeZ3yjtmcnunux/RpvP1ISJDWdKzi3NoDpkAnzSm0M0j LNsLnl7vYi4kP2BVzbf5ybwKMjpLNKRWpzHJSLMYVQ7Chr8T085R6pYp3jAsuoQiar vVj96EJscBqPqu53YqIHl6Hj8Ds6a+TcOKtJaVWneVFbJKyGCBoyms+Gq5Os5FcnFp 0zE6yWKsBVrquKORPNjanc3iZ3RX0fpMnO/MESrtdG8+MKtu32DrTRxeT1YM4v+t5/ PvElvp5ClLOzw== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4Tf3kL26krz4wcq; Tue, 20 Feb 2024 13:48:26 +1100 (AEDT) From: David Gibson To: passt-dev@passt.top, Stefano Brivio Subject: [PATCH 2/2] udp: Fix 16-bit overflow in udp_invert_portmap() Date: Tue, 20 Feb 2024 13:48:24 +1100 Message-ID: <20240220024824.2198704-3-david@gibson.dropbear.id.au> X-Mailer: git-send-email 2.43.2 In-Reply-To: <20240220024824.2198704-1-david@gibson.dropbear.id.au> References: <20240220024824.2198704-1-david@gibson.dropbear.id.au> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID-Hash: LCFXUVA4WUZIRK6EVO2M6VW3P7K2JKSZ X-Message-ID-Hash: LCFXUVA4WUZIRK6EVO2M6VW3P7K2JKSZ X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: jk@lutty.net, David Gibson X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: The code in udp_invert_portmap() is written based on an incorrect understanding of C's (arcane) integer promotion rules. We calculate '(in_port_t)i + delta' expecting the result to be of type in_port_t (16 bits). However "small integer types" (those narrower than 'int') are always promoted to int for expressions, meaning this calculation can overrun the rdelta[] array. Fix this, and use a new intermediate for the index, to make it very clear what it's type is. We also change i to unsigned, to avoid any possible confusion from mixing signed and unsigned types. Link: https://bugs.passt.top/show_bug.cgi?id=80 Reported-by: Laurent Jacquot Suggested-by: Laurent Jacquot Signed-off-by: David Gibson --- udp.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/udp.c b/udp.c index c031a053..a3961bfd 100644 --- a/udp.c +++ b/udp.c @@ -258,15 +258,16 @@ void udp_portmap_clear(void) */ static void udp_invert_portmap(struct udp_port_fwd *fwd) { - int i; + unsigned int i; static_assert(ARRAY_SIZE(fwd->f.delta) == ARRAY_SIZE(fwd->rdelta), "Forward and reverse delta arrays must have same size"); for (i = 0; i < ARRAY_SIZE(fwd->f.delta); i++) { in_port_t delta = fwd->f.delta[i]; + in_port_t rport = i + delta; if (delta) - fwd->rdelta[(in_port_t)i + delta] = NUM_PORTS - delta; + fwd->rdelta[rport] = NUM_PORTS - delta; } } -- 2.43.2