From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au Authentication-Results: passt.top; dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202602 header.b=bLsLHRHS; dkim-atps=neutral Received: from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3]) by passt.top (Postfix) with ESMTPS id 0158C5A0262 for ; Tue, 05 May 2026 08:22:53 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202602; t=1777962169; bh=lxoh0qsvZz+Jvaxe/Wdq+DcLU/Ujsz/gnQDR0NxiwGs=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=bLsLHRHSoGxmGFuyeBylnTaD5o0Ig6M92LTnpH4G11M4fWjIfE9QaSAAK9vTqXzkZ rd97JpSU5hgHOsifSZJxb8pmxV+N5fxFuS7HDMDbJkq+hoV108A18tWT+WZ3hYt0zi RuPVv2YwQpNSTA6XwjGy8PBmN7dAb1Dun08QlrSTyq7G0yymp6V8A1nbrBWn+XABeb V+3W6nZwWBu9Jh/UWGqeNqfl+l5HVmlhBS+vz2g9lMpDDJiV8Cc89hBPnn2Hlm3phx dbsgMzAon0MI1m8Ks6NQyiB1akfIis2c8xAwmRVEO5kOwdALxOUnREt7MHOHVgQ8Xn vURfpQ/iuFK7Q== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4g8pN91g1jz4wKW; Tue, 05 May 2026 16:22:49 +1000 (AEST) Date: Tue, 5 May 2026 16:22:43 +1000 From: David Gibson To: Stefano Brivio Subject: Re: [PATCH v7 18/18] fwd_rule: Fix static checkers warnings in fwd_rule_add() Message-ID: References: <20260504231142.1118652-1-sbrivio@redhat.com> <20260504231142.1118652-19-sbrivio@redhat.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="fSQxfW2hbLthIi9Z" Content-Disposition: inline In-Reply-To: <20260504231142.1118652-19-sbrivio@redhat.com> Message-ID-Hash: 45RRKANRYLKJTQ7LAHRFVHH34KCPJSJ2 X-Message-ID-Hash: 45RRKANRYLKJTQ7LAHRFVHH34KCPJSJ2 X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top, Jon Maloy , Laurent Vivier X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --fSQxfW2hbLthIi9Z Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, May 05, 2026 at 01:11:42AM +0200, Stefano Brivio wrote: > The new checks are actually sufficient but not enough for Coverity > Scan. Now that fwd->sock_count and new->last are affected or supplied > by clients, we need explicit (albeit redundant) checks on them. >=20 > Signed-off-by: Stefano Brivio I'm assuming this does squash the warnings, but I think it does so in a somewhat confusing way. > --- > fwd_rule.c | 9 +++++++++ > 1 file changed, 9 insertions(+) >=20 > diff --git a/fwd_rule.c b/fwd_rule.c > index b55e4df..03e8e80 100644 > --- a/fwd_rule.c > +++ b/fwd_rule.c > @@ -271,13 +271,22 @@ int fwd_rule_add(struct fwd_table *fwd, const struc= t fwd_rule *new) > warn("Too many rules (maximum %d)", ARRAY_SIZE(fwd->rules)); > return -ENOSPC; > } > + > if ((fwd->sock_count + num) > ARRAY_SIZE(fwd->socks)) { > warn("Rules require too many listening sockets (maximum %d)", > ARRAY_SIZE(fwd->socks)); > return -ENOSPC; > } > + /* Redundant, to make static checkers happy */ > + if (fwd->sock_count > ARRAY_SIZE(fwd->socks)) > + return -ENOSPC; So there's actually two conditions that this is kind of relevant to: 1) (fwd->sock_count > ARRAY_SIZE(fwd->socks)) on entry That means something is horribly wrong before we were even called. So, I think that would be better as an assert(). 2) (fwd->sock_count + num) overflows That's a closer-to-real concern. I'm pretty sure we can't hit it for real, because num is necessarily <=3D 65536, so as long as (1) is true this can't overflow. But that relies on the specific value of ARRAY_SIZE(fwd->socks), so it's kind of fragile. I think an explicit check for this is a good idea, but it should actually check for this, not just side-effects of it, so: if (fwd->sock_count + num <=3D fwd->sock_count) { warn("Blah blah overflow"); return -EFAULT; /* or whatever */ } > fwd->rulesocks[fwd->count] =3D &fwd->socks[fwd->sock_count]; > + > + /* Redundant ('num' checked above), but not for static checkers */ > + if (new->last > ARRAY_SIZE(fwd->socks) + new->first) > + return -ENOSPC; This way of organising the check is very confusing to me. I'm not really sure what it's trying to catch. We've already checked that last >=3D first, so using num is safer to deal with at this point than ARRAY_SIZE() + first, which could in principle overflow even if sock_count + num is perfectly ok. > for (port =3D new->first; port <=3D new->last; port++) > fwd->rulesocks[fwd->count][port - new->first] =3D -1; > =20 > --=20 > 2.43.0 >=20 --=20 David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson --fSQxfW2hbLthIi9Z Content-Type: application/pgp-signature; name=signature.asc -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmn5jKcACgkQzQJF27ox 2GcuQg//dwpiAjwQSrKkBdgp5yFrLpRwMDI6NKscUBQ8c2WraJocrjOLHUdpbHKb 7fwmnBa501mNr9iyDtYhk7xrjgsVWYyGlPKTzXzSMrACv4sLzH7pozEW6IonmkL+ ucQGJ5npRVxt4TOK2w+HF2IY+oBvcGlt0Us8+UZqIAwGezmFsPthltq7hBGIcHSp 2QgTReAxmqwS04DdG4GAHIs0LVP7fBIQy1lUeORPkPsySjAdEiv+D2RVPX1wkHOs /+fEImV8cnXVSCYBEW63khWBfzVtneay8hrw6NbLq4n5KY7QycYU5CrOwbjoRMvu T9ZNoXjkLTBblzkCRq4OZ7ePN2QfQvtq1PtMi7X2FIYCF6eJIk583LdhC+gCWUny syf0SiIrJeWYOnVcPxGO9QmFRhA3I9nkZQmS2M8HyGFIqefReaLDcs1ScfG+rnVB l+y844UURKLuhK3HhoNUMrDiEy9eg+MWNJnFEEj6DaOlPV1sjIET5ryNdo2wRjo7 gYjyCk9bXnIAx6ZVokrJIB+Z/0pMvQKZTwaVs4MoHnAiER1Nd25gtl+YYsJta8ci mGKEtnqtKjRGpWxBd70sL5XkjWyEFRy3YWWz4wP+PamJ2xeJfZ68gVyJexWd1Eek InH8nN4Ln9fzBW59QPUqXcJ4Mj29P708gvY+pu7qmFlDT8ExKpc= =9vCb -----END PGP SIGNATURE----- --fSQxfW2hbLthIi9Z--