Re: [PATCH v9 0/4] Reconstruct incoming ICMP headers for failed UDP connect and forward back

public inbox for passt-dev@passt.top
 help / color / mirror / code / Atom feed

From: Stefano Brivio <sbrivio@redhat.com>
To: Jon Maloy <jmaloy@redhat.com>
Cc: passt-dev@passt.top, lvivier@redhat.com, dgibson@redhat.com
Subject: Re: [PATCH v9 0/4] Reconstruct incoming ICMP headers for failed UDP connect and forward back
Date: Tue, 4 Mar 2025 13:05:20 +0100	[thread overview]
Message-ID: <20250304130520.40dfaa55@elisabeth> (raw)
In-Reply-To: <20250304012915.1517536-1-jmaloy@redhat.com>

On Mon,  3 Mar 2025 20:29:11 -0500
Jon Maloy <jmaloy@redhat.com> wrote:

> v2: - Added patch breaking out udp header creation from function
>       tap_udp4_send().
>     - Updated the ICMP creation by using the new function.
>     - Added logics to find correct flow, depending on origin.
>     - All done after feedback from David Gibson.
> v3: - More changes after feedback from David Gibson.
> v4: - Even more changes after feedback from D. Gibson
> v5: - Added corresponding patches for IPv6
> v6: - Fixed some small nits after comments from D. Gibson.
> v7: - Added handling of all rejected ICMP messages
>     - Returning correct user data amount if IPv6 as per RFC 4884.
> v8: - Added MTU to ICMPv4 ICMP_FRAG_NEEDED messages.
>     - Added ASSERT() validation to message creation functions.
> v9: - Using real source address of ICMP to complement destination
>       address for originial UDP message when needed.
> 
> Jon Maloy (4):
>   tap: break out building of udp header from tap_udp4_send function
>   udp: create and send ICMPv4 to local peer when applicable
>   tap: break out building of udp header from tap_udp6_send function
>   udp: create and send ICMPv6 to local peer when applicable

I was about to apply those, then I realised that Coverity Scan isn't
happy about a few things, listed below. I didn't check if those are
false positives (I can have a look later or within a couple of days
unless you get to it first).

1.
---
/home/sbrivio/passt/udp.c:448:2:
  Type: Out-of-bounds access (ARRAY_VS_SINGLETON)

/home/sbrivio/passt/udp.c:440:2:
  1. path: Condition "!(dlen <= 8)", taking false branch.
/home/sbrivio/passt/udp.c:444:2:
  2. path: Condition "ee->ee_type == 3", taking true branch.
/home/sbrivio/passt/udp.c:444:2:
  3. path: Condition "ee->ee_code == 4", taking true branch.
/home/sbrivio/passt/udp.c:448:2:
  4. address_of: Taking address with "&msg.ip4h" yields a singleton pointer.
/home/sbrivio/passt/udp.c:448:2:
  5. callee_ptr_arith: Passing "&msg.ip4h" to function "tap_push_ip4h" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
/home/sbrivio/passt/tap.c:162:2:
  5.1. ptr_arith: Performing pointer arithmetic on "ip4h" in expression "ip4h + 1".
---

2.
---
/home/sbrivio/passt/udp.c:493:2:
  Type: Out-of-bounds access (ARRAY_VS_SINGLETON)

/home/sbrivio/passt/udp.c:485:2:
  1. path: Condition "!(dlen <= 1232UL /* 1280 - sizeof (struct udphdr) - sizeof (struct ipv6hdr) */)", taking false branch.
/home/sbrivio/passt/udp.c:489:2:
  2. path: Condition "ee->ee_type == 2", taking true branch.
/home/sbrivio/passt/udp.c:493:2:
  3. address_of: Taking address with "&msg.ip6h" yields a singleton pointer.
/home/sbrivio/passt/udp.c:493:2:
  4. callee_ptr_arith: Passing "&msg.ip6h" to function "tap_push_ip6h" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
/home/sbrivio/passt/tap.c:265:2:
  4.1. ptr_arith: Performing pointer arithmetic on "ip6h" in expression "ip6h + 1".
---

3.
---
/home/sbrivio/passt/udp.c:449:2:
  Type: Out-of-bounds access (ARRAY_VS_SINGLETON)

/home/sbrivio/passt/udp.c:440:2:
  1. path: Condition "!(dlen <= 8)", taking false branch.
/home/sbrivio/passt/udp.c:444:2:
  2. path: Condition "ee->ee_type == 3", taking true branch.
/home/sbrivio/passt/udp.c:444:2:
  3. path: Condition "ee->ee_code == 4", taking true branch.
/home/sbrivio/passt/udp.c:449:2:
  4. address_of: Taking address with "&msg.uh" yields a singleton pointer.
/home/sbrivio/passt/udp.c:449:2:
  5. callee_ptr_arith: Passing "&msg.uh" to function "tap_push_uh4" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
/home/sbrivio/passt/tap.c:190:2:
  5.1. ptr_arith: Performing pointer arithmetic on "uh" in expression "uh + 1".
---

4.
---
/home/sbrivio/passt/udp.c:494:2:
  Type: Out-of-bounds access (ARRAY_VS_SINGLETON)

/home/sbrivio/passt/udp.c:485:2:
  1. path: Condition "!(dlen <= 1232UL /* 1280 - sizeof (struct udphdr) - sizeof (struct ipv6hdr) */)", taking false branch.
/home/sbrivio/passt/udp.c:489:2:
  2. path: Condition "ee->ee_type == 2", taking true branch.
/home/sbrivio/passt/udp.c:494:2:
  3. address_of: Taking address with "&msg.uh" yields a singleton pointer.
/home/sbrivio/passt/udp.c:494:2:
  4. callee_ptr_arith: Passing "&msg.uh" to function "tap_push_uh6" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
/home/sbrivio/passt/tap.c:295:2:
  4.1. ptr_arith: Performing pointer arithmetic on "uh" in expression "uh + 1".
---

-- 
Stefano

next prev parent reply	other threads:[~2025-03-04 12:05 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-03-04  1:29 [PATCH v9 0/4] Reconstruct incoming ICMP headers for failed UDP connect and forward back Jon Maloy
2025-03-04  1:29 ` [1/4] tap: break out building of udp header from tap_udp4_send function Jon Maloy
2025-03-04  1:29 ` [2/4] udp: create and send ICMPv4 to local peer when applicable Jon Maloy
2025-03-04  1:29 ` [3/4] tap: break out building of udp header from tap_udp6_send function Jon Maloy
2025-03-04  1:29 ` [4/4] udp: create and send ICMPv6 to local peer when applicable Jon Maloy
2025-03-04  4:46 ` [PATCH v9 0/4] Reconstruct incoming ICMP headers for failed UDP connect and forward back David Gibson
2025-03-04 12:05 ` Stefano Brivio [this message]
2025-03-04 22:44   ` Jon Maloy
2025-03-05  8:59     ` Stefano Brivio

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250304130520.40dfaa55@elisabeth \
    --to=sbrivio@redhat.com \
    --cc=dgibson@redhat.com \
    --cc=jmaloy@redhat.com \
    --cc=lvivier@redhat.com \
    --cc=passt-dev@passt.top \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://passt.top/passt

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).