public inbox for passt-dev@passt.top
 help / color / mirror / code / Atom feed
From: Jon Maloy <jmaloy@redhat.com>
To: sbrivio@redhat.com, david@gibson.dropbear.id.au,
	jmaloy@redhat.com, passt-dev@passt.top
Subject: [PATCH v2 3/6] tap: Guard IPv6 tail size subtraction against underflow
Date: Thu,  9 Jul 2026 17:56:53 -0400	[thread overview]
Message-ID: <20260709215656.1351549-4-jmaloy@redhat.com> (raw)
In-Reply-To: <20260709215656.1351549-1-jmaloy@redhat.com>

In tap6_handler(), iov_tail_size(&data) - sizeof(*ip6h) computes
the expected payload length. IOV_PEEK_HEADER() guarantees at least
sizeof(*ip6h) bytes, but add an explicit check to guard the unsigned
subtraction. A too-small tail would indicate a malformed packet, so
skip it.

Signed-off-by: Jon Maloy <jmaloy@redhat.com>

---
v2: Use if-guard instead of assert(), to avoid runtime cost in
    per-packet path and to let the static checker follow the logic.
---
 tap.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/tap.c b/tap.c
index 6d93c7ce..6fd5f595 100644
--- a/tap.c
+++ b/tap.c
@@ -986,7 +986,10 @@ resume:
 		if (!ip6h)
 			continue;
 
-		check = iov_tail_size(&data) - sizeof(*ip6h);
+		check = iov_tail_size(&data);
+		if (check < sizeof(*ip6h))
+			continue;
+		check -= sizeof(*ip6h);
 
 		saddr = &ip6h->saddr;
 		daddr = &ip6h->daddr;
-- 
2.52.0


  parent reply	other threads:[~2026-07-09 21:57 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-09 21:56 [PATCH v2 0/6] Fix issues and false positives from static analysis Jon Maloy
2026-07-09 21:56 ` [PATCH v2 1/6] passt: Initialise listening socket fds to -1 Jon Maloy
2026-07-09 21:56 ` [PATCH v2 2/6] udp_vu: Check iov_tail_clone() return before assigning to msg_iovlen Jon Maloy
2026-07-10  1:32   ` David Gibson
2026-07-09 21:56 ` Jon Maloy [this message]
2026-07-10  1:36   ` [PATCH v2 3/6] tap: Guard IPv6 tail size subtraction against underflow David Gibson
2026-07-09 21:56 ` [PATCH v2 4/6] doc/migration: Use snprintf() for socket path and fix argv access Jon Maloy
2026-07-10  1:37   ` David Gibson
2026-07-09 21:56 ` [PATCH v2 5/6] doc/migration: Fix buffer type mismatch in recv() call Jon Maloy
2026-07-09 21:56 ` [PATCH v2 6/6] doc/platform-requirements: Close leaked sockets in test_close_dup() Jon Maloy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260709215656.1351549-4-jmaloy@redhat.com \
    --to=jmaloy@redhat.com \
    --cc=david@gibson.dropbear.id.au \
    --cc=passt-dev@passt.top \
    --cc=sbrivio@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://passt.top/passt

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).