From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au Authentication-Results: passt.top; dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202502 header.b=HGXsMSpy; dkim-atps=neutral Received: from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3]) by passt.top (Postfix) with ESMTPS id B1FCA5A077D for ; Mon, 17 Mar 2025 11:02:27 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202502; t=1742205731; bh=bv4znHhPLG/2PqfArsvzX7uKCZd/48Eg+VIhbUO70C4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=HGXsMSpyH8E4dNpyDh/rXEVdgrnQFQM5tI2XFUVdsiwYdlZ2WIeWXn9PamPEZcKq8 Q7pqbc/J5zQbjVetVZJr4+K5Rs6XtxtAdqpKJ/FWVClAMsV/1htykeYj+LufnKQwqd BmezW6wURevptSTeZPto4SucBQAYfDYcuUF7iFoEWwbxReupj4edj/o5bFAu3nUglj dJ8kYlxcm8zTH9lsl1F5nZCojqNR5KgXhq1FXIixc8UJiToqSj6Oa8Y8UmnawoE2cD XAWXcXRu9BpMxFXfgLXTdaWcNiOFgTGudkmRGIyn3wWeBbNGBh/LnzC3+OkoCGVuzP quZcJ763dyLFQ== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4ZGVrM6T3Cz4xD7; Mon, 17 Mar 2025 21:02:11 +1100 (AEDT) From: David Gibson To: passt-dev@passt.top, Stefano Brivio Subject: [PATCH v2 10/11] packet: ASSERT on signs of pool corruption Date: Mon, 17 Mar 2025 20:24:23 +1100 Message-ID: <20250317092424.1461719-11-david@gibson.dropbear.id.au> X-Mailer: git-send-email 2.48.1 In-Reply-To: <20250317092424.1461719-1-david@gibson.dropbear.id.au> References: <20250317092424.1461719-1-david@gibson.dropbear.id.au> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID-Hash: 4LS6A47VTXE5OILTLNXQS6MCZ4L6WNLQ X-Message-ID-Hash: 4LS6A47VTXE5OILTLNXQS6MCZ4L6WNLQ X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: David Gibson X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: If packet_check_range() fails in packet_get_try_do() we just return NULL. But this check only takes places after we've already validated the given range against the packet it's in. That means that if packet_check_range() fails, the packet pool is already in a corrupted state (we should have made strictly stronger checks when the packet was added). Simply returning NULL and logging a trace() level message isn't really adequate for that situation; ASSERT instead. Similarly we check the given idx against both p->count and p->size. The latter should be redundant, because count should always be <= size. If that's not the case then, again, the pool is already in a corrupted state and we may have overwritten unknown memory. Assert for this case too. Signed-off-by: David Gibson --- packet.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/packet.c b/packet.c index b3e8c79e..be28f279 100644 --- a/packet.c +++ b/packet.c @@ -129,9 +129,13 @@ void *packet_get_try_do(const struct pool *p, size_t idx, size_t offset, { char *ptr; - if (idx >= p->size || idx >= p->count) { - trace("packet %zu from pool size: %zu, count: %zu, %s:%i", - idx, p->size, p->count, func, line); + ASSERT_WITH_MSG(p->count <= p->size, + "Corrupt pool count: %zu, size: %zu, %s:%i", + p->count, p->size, func, line); + + if (idx >= p->count) { + trace("packet %zu from pool count: %zu, %s:%i", + idx, p->count, func, line); return NULL; } @@ -141,8 +145,8 @@ void *packet_get_try_do(const struct pool *p, size_t idx, size_t offset, ptr = (char *)p->pkt[idx].iov_base + offset; - if (packet_check_range(p, ptr, len, func, line)) - return NULL; + ASSERT_WITH_MSG(!packet_check_range(p, ptr, len, func, line), + "Corrupt packet pool, %s:%i", func, line); if (left) *left = p->pkt[idx].iov_len - offset - len; -- 2.48.1