[PATCH 0/2] Avoid overlapping mempcy() in DUP_ACK handling

[PATCH 0/2] Avoid overlapping mempcy() in DUP_ACK handling

[David Gibson]

Spotted this so-far harmless, but technically undefined behaviour
while looking at other things.  Fixed one other nit at the same time.

David Gibson (2):
  tcp: Remove redundant initialisation of iov[TCP_IOV_ETH].iov_base
  tcp: Avoid overlapping memcpy() in DUP_ACK handling

 tcp_buf.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

-- 
2.46.0

[PATCH 1/2] tcp: Remove redundant initialisation of iov[TCP_IOV_ETH].iov_base

[David Gibson]

This initialisation for IPv4 flags buffers is redundant with the very next
line which sets both iov_base and iov_len.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
 tcp_buf.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/tcp_buf.c b/tcp_buf.c
index c31e9f31..2e044b27 100644
--- a/tcp_buf.c
+++ b/tcp_buf.c
@@ -168,7 +168,6 @@ void tcp_sock4_iov_init(const struct ctx *c)
 		iov = tcp4_l2_flags_iov[i];
 
 		iov[TCP_IOV_TAP] = tap_hdr_iov(c, &tcp4_flags_tap_hdr[i]);
-		iov[TCP_IOV_ETH].iov_base = &tcp4_eth_src;
 		iov[TCP_IOV_ETH] = IOV_OF_LVALUE(tcp4_eth_src);
 		iov[TCP_IOV_IP] = IOV_OF_LVALUE(tcp4_flags_ip[i]);
 		iov[TCP_IOV_PAYLOAD].iov_base = &tcp4_flags[i];
-- 
@@ -168,7 +168,6 @@ void tcp_sock4_iov_init(const struct ctx *c)
 		iov = tcp4_l2_flags_iov[i];
 
 		iov[TCP_IOV_TAP] = tap_hdr_iov(c, &tcp4_flags_tap_hdr[i]);
-		iov[TCP_IOV_ETH].iov_base = &tcp4_eth_src;
 		iov[TCP_IOV_ETH] = IOV_OF_LVALUE(tcp4_eth_src);
 		iov[TCP_IOV_IP] = IOV_OF_LVALUE(tcp4_flags_ip[i]);
 		iov[TCP_IOV_PAYLOAD].iov_base = &tcp4_flags[i];
-- 
2.46.0

[PATCH 2/2] tcp: Avoid overlapping memcpy() in DUP_ACK handling

[David Gibson]

When handling the DUP_ACK flag, we copy all the buffers making up the ack
frame.  However, all our frames share the same buffer for the Ethernet
header (tcp4_eth_src or tcp6_eth_src), so copying the TCP_IOV_ETH will
result in a (perfectly) overlapping memcpy().  This seems to have been
harmless so far, but overlapping ranges to memcpy() is undefined behaviour,
so we really should avoid it.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
 tcp_buf.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/tcp_buf.c b/tcp_buf.c
index 2e044b27..1a398461 100644
--- a/tcp_buf.c
+++ b/tcp_buf.c
@@ -332,9 +332,13 @@ int tcp_buf_send_flag(struct ctx *c, struct tcp_tap_conn *conn, int flags)
 		else
 			dup_iov = tcp6_l2_flags_iov[tcp6_flags_used++];
 
-		for (i = 0; i < TCP_NUM_IOVS; i++)
-			memcpy(dup_iov[i].iov_base, iov[i].iov_base,
-			       iov[i].iov_len);
+		for (i = 0; i < TCP_NUM_IOVS; i++) {
+			/* All frames share the same ethernet header buffer */
+			if (i != TCP_IOV_ETH) {
+				memcpy(dup_iov[i].iov_base, iov[i].iov_base,
+				       iov[i].iov_len);
+			}
+		}
 		dup_iov[TCP_IOV_PAYLOAD].iov_len = iov[TCP_IOV_PAYLOAD].iov_len;
 	}
 
-- 
@@ -332,9 +332,13 @@ int tcp_buf_send_flag(struct ctx *c, struct tcp_tap_conn *conn, int flags)
 		else
 			dup_iov = tcp6_l2_flags_iov[tcp6_flags_used++];
 
-		for (i = 0; i < TCP_NUM_IOVS; i++)
-			memcpy(dup_iov[i].iov_base, iov[i].iov_base,
-			       iov[i].iov_len);
+		for (i = 0; i < TCP_NUM_IOVS; i++) {
+			/* All frames share the same ethernet header buffer */
+			if (i != TCP_IOV_ETH) {
+				memcpy(dup_iov[i].iov_base, iov[i].iov_base,
+				       iov[i].iov_len);
+			}
+		}
 		dup_iov[TCP_IOV_PAYLOAD].iov_len = iov[TCP_IOV_PAYLOAD].iov_len;
 	}
 
-- 
2.46.0

Re: [PATCH 0/2] Avoid overlapping mempcy() in DUP_ACK handling

[Stefano Brivio]

On Thu, 12 Sep 2024 16:59:38 +1000
David Gibson <david@gibson.dropbear.id.au> wrote:

> Spotted this so-far harmless, but technically undefined behaviour
> while looking at other things.  Fixed one other nit at the same time.
> 
> David Gibson (2):
>   tcp: Remove redundant initialisation of iov[TCP_IOV_ETH].iov_base
>   tcp: Avoid overlapping memcpy() in DUP_ACK handling
> 
>  tcp_buf.c | 11 +++++++----
>  1 file changed, 7 insertions(+), 4 deletions(-)

Applied.

-- 
Stefano