From: David Gibson <david@gibson.dropbear.id.au>
To: Jon Maloy <jmaloy@redhat.com>
Cc: sbrivio@redhat.com, passt-dev@passt.top
Subject: Re: [PATCH v2 3/6] tap: Guard IPv6 tail size subtraction against underflow
Date: Fri, 10 Jul 2026 11:36:07 +1000 [thread overview]
Message-ID: <alBMff9G7AdYNbqD@zatzit> (raw)
In-Reply-To: <20260709215656.1351549-4-jmaloy@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 1443 bytes --]
On Thu, Jul 09, 2026 at 05:56:53PM -0400, Jon Maloy wrote:
> In tap6_handler(), iov_tail_size(&data) - sizeof(*ip6h) computes
> the expected payload length. IOV_PEEK_HEADER() guarantees at least
> sizeof(*ip6h) bytes, but add an explicit check to guard the unsigned
> subtraction. A too-small tail would indicate a malformed packet, so
> skip it.
>
> Signed-off-by: Jon Maloy <jmaloy@redhat.com>
>
> ---
> v2: Use if-guard instead of assert(), to avoid runtime cost in
> per-packet path and to let the static checker follow the logic.
Why would the if be cheaper than an assert()? The IOV_PEEK_HEADER()
already checks the length, so this check is definitely redundant - it
exists only for the benefit of static checkers.
> ---
> tap.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/tap.c b/tap.c
> index 6d93c7ce..6fd5f595 100644
> --- a/tap.c
> +++ b/tap.c
> @@ -986,7 +986,10 @@ resume:
> if (!ip6h)
> continue;
>
> - check = iov_tail_size(&data) - sizeof(*ip6h);
> + check = iov_tail_size(&data);
> + if (check < sizeof(*ip6h))
> + continue;
> + check -= sizeof(*ip6h);
>
> saddr = &ip6h->saddr;
> daddr = &ip6h->daddr;
> --
> 2.52.0
>
--
David Gibson (he or they) | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you, not the other way
| around.
http://www.ozlabs.org/~dgibson
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2026-07-10 1:37 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-09 21:56 [PATCH v2 0/6] Fix issues and false positives from static analysis Jon Maloy
2026-07-09 21:56 ` [PATCH v2 1/6] passt: Initialise listening socket fds to -1 Jon Maloy
2026-07-09 21:56 ` [PATCH v2 2/6] udp_vu: Check iov_tail_clone() return before assigning to msg_iovlen Jon Maloy
2026-07-10 1:32 ` David Gibson
2026-07-09 21:56 ` [PATCH v2 3/6] tap: Guard IPv6 tail size subtraction against underflow Jon Maloy
2026-07-10 1:36 ` David Gibson [this message]
2026-07-09 21:56 ` [PATCH v2 4/6] doc/migration: Use snprintf() for socket path and fix argv access Jon Maloy
2026-07-10 1:37 ` David Gibson
2026-07-09 21:56 ` [PATCH v2 5/6] doc/migration: Fix buffer type mismatch in recv() call Jon Maloy
2026-07-09 21:56 ` [PATCH v2 6/6] doc/platform-requirements: Close leaked sockets in test_close_dup() Jon Maloy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alBMff9G7AdYNbqD@zatzit \
--to=david@gibson.dropbear.id.au \
--cc=jmaloy@redhat.com \
--cc=passt-dev@passt.top \
--cc=sbrivio@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).