From: David Gibson <david@gibson.dropbear.id.au>
To: passt-dev@passt.top, Stefano Brivio <sbrivio@redhat.com>
Cc: David Gibson <david@gibson.dropbear.id.au>
Subject: [PATCH v2 10/11] packet: ASSERT on signs of pool corruption
Date: Mon, 17 Mar 2025 20:24:23 +1100 [thread overview]
Message-ID: <20250317092424.1461719-11-david@gibson.dropbear.id.au> (raw)
In-Reply-To: <20250317092424.1461719-1-david@gibson.dropbear.id.au>
If packet_check_range() fails in packet_get_try_do() we just return NULL.
But this check only takes places after we've already validated the given
range against the packet it's in. That means that if packet_check_range()
fails, the packet pool is already in a corrupted state (we should have
made strictly stronger checks when the packet was added). Simply returning
NULL and logging a trace() level message isn't really adequate for that
situation; ASSERT instead.
Similarly we check the given idx against both p->count and p->size. The
latter should be redundant, because count should always be <= size. If
that's not the case then, again, the pool is already in a corrupted state
and we may have overwritten unknown memory. Assert for this case too.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
packet.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/packet.c b/packet.c
index b3e8c79e..be28f279 100644
--- a/packet.c
+++ b/packet.c
@@ -129,9 +129,13 @@ void *packet_get_try_do(const struct pool *p, size_t idx, size_t offset,
{
char *ptr;
- if (idx >= p->size || idx >= p->count) {
- trace("packet %zu from pool size: %zu, count: %zu, %s:%i",
- idx, p->size, p->count, func, line);
+ ASSERT_WITH_MSG(p->count <= p->size,
+ "Corrupt pool count: %zu, size: %zu, %s:%i",
+ p->count, p->size, func, line);
+
+ if (idx >= p->count) {
+ trace("packet %zu from pool count: %zu, %s:%i",
+ idx, p->count, func, line);
return NULL;
}
@@ -141,8 +145,8 @@ void *packet_get_try_do(const struct pool *p, size_t idx, size_t offset,
ptr = (char *)p->pkt[idx].iov_base + offset;
- if (packet_check_range(p, ptr, len, func, line))
- return NULL;
+ ASSERT_WITH_MSG(!packet_check_range(p, ptr, len, func, line),
+ "Corrupt packet pool, %s:%i", func, line);
if (left)
*left = p->pkt[idx].iov_len - offset - len;
--
@@ -129,9 +129,13 @@ void *packet_get_try_do(const struct pool *p, size_t idx, size_t offset,
{
char *ptr;
- if (idx >= p->size || idx >= p->count) {
- trace("packet %zu from pool size: %zu, count: %zu, %s:%i",
- idx, p->size, p->count, func, line);
+ ASSERT_WITH_MSG(p->count <= p->size,
+ "Corrupt pool count: %zu, size: %zu, %s:%i",
+ p->count, p->size, func, line);
+
+ if (idx >= p->count) {
+ trace("packet %zu from pool count: %zu, %s:%i",
+ idx, p->count, func, line);
return NULL;
}
@@ -141,8 +145,8 @@ void *packet_get_try_do(const struct pool *p, size_t idx, size_t offset,
ptr = (char *)p->pkt[idx].iov_base + offset;
- if (packet_check_range(p, ptr, len, func, line))
- return NULL;
+ ASSERT_WITH_MSG(!packet_check_range(p, ptr, len, func, line),
+ "Corrupt packet pool, %s:%i", func, line);
if (left)
*left = p->pkt[idx].iov_len - offset - len;
--
2.48.1
next prev parent reply other threads:[~2025-03-17 10:02 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-17 9:24 [PATCH v2 00/11] Improve robustness of calculations related to frame size limits David Gibson
2025-03-17 9:24 ` [PATCH v2 01/11] vu_common: Tighten vu_packet_check_range() David Gibson
2025-03-17 9:24 ` [PATCH v2 02/11] packet: More cautious checks to avoid pointer arithmetic UB David Gibson
2025-03-17 9:24 ` [PATCH v2 03/11] tap: Make size of pool_tap[46] purely a tuning parameter David Gibson
2025-03-17 9:24 ` [PATCH v2 04/11] tap: Clarify calculation of TAP_MSGS David Gibson
2025-03-17 9:24 ` [PATCH v2 05/11] packet: Correct type of PACKET_MAX_LEN David Gibson
2025-03-17 9:24 ` [PATCH v2 06/11] packet: Avoid integer overflows in packet_get_do() David Gibson
2025-03-17 9:24 ` [PATCH v2 07/11] packet: Move checks against PACKET_MAX_LEN to packet_check_range() David Gibson
2025-03-17 9:24 ` [PATCH v2 08/11] packet: Rework packet_get() versus packet_get_try() David Gibson
2025-03-17 9:24 ` [PATCH v2 09/11] util: Add abort_with_msg() and ASSERT_WITH_MSG() helpers David Gibson
2025-03-17 9:24 ` David Gibson [this message]
2025-03-17 9:24 ` [PATCH v2 11/11] packet: Upgrade severity of most packet errors David Gibson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250317092424.1461719-11-david@gibson.dropbear.id.au \
--to=david@gibson.dropbear.id.au \
--cc=passt-dev@passt.top \
--cc=sbrivio@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).