[net V2 10/15] net/mlx5e: CT, Fix coverity issue

All of lore.kernel.org
 help / color / mirror / Atom feed

From: saeed@kernel.org
To: "David S. Miller" <davem@davemloft.net>,
	Jakub Kicinski <kuba@kernel.org>
Cc: netdev@vger.kernel.org, Maor Dickman <maord@nvidia.com>,
	Roi Dayan <roid@nvidia.com>, Saeed Mahameed <saeedm@nvidia.com>
Subject: [net V2 10/15] net/mlx5e: CT, Fix coverity issue
Date: Thu,  1 Oct 2020 12:52:42 -0700	[thread overview]
Message-ID: <20201001195247.66636-11-saeed@kernel.org> (raw)
In-Reply-To: <20201001195247.66636-1-saeed@kernel.org>

From: Maor Dickman <maord@nvidia.com>

The cited commit introduced the following coverity issue at function
mlx5_tc_ct_rule_to_tuple_nat:
- Memory - corruptions (OVERRUN)
  Overrunning array "tuple->ip.src_v6.in6_u.u6_addr32" of 4 4-byte
  elements at element index 7 (byte offset 31) using index
  "ip6_offset" (which evaluates to 7).

In case of IPv6 destination address rewrite, ip6_offset values are
between 4 to 7, which will cause memory overrun of array
"tuple->ip.src_v6.in6_u.u6_addr32" to array
"tuple->ip.dst_v6.in6_u.u6_addr32".

Fixed by writing the value directly to array
"tuple->ip.dst_v6.in6_u.u6_addr32" in case ip6_offset values are
between 4 to 7.

Fixes: bc562be9674b ("net/mlx5e: CT: Save ct entries tuples in hashtables")
Signed-off-by: Maor Dickman <maord@nvidia.com>
Reviewed-by: Roi Dayan <roid@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
---
 drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c
index bc5f72ec3623..a8be40cbe325 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c
@@ -246,8 +246,10 @@ mlx5_tc_ct_rule_to_tuple_nat(struct mlx5_ct_tuple *tuple,
 		case FLOW_ACT_MANGLE_HDR_TYPE_IP6:
 			ip6_offset = (offset - offsetof(struct ipv6hdr, saddr));
 			ip6_offset /= 4;
-			if (ip6_offset < 8)
+			if (ip6_offset < 4)
 				tuple->ip.src_v6.s6_addr32[ip6_offset] = cpu_to_be32(val);
+			else if (ip6_offset < 8)
+				tuple->ip.dst_v6.s6_addr32[ip6_offset - 4] = cpu_to_be32(val);
 			else
 				return -EOPNOTSUPP;
 			break;
-- 
2.26.2

next prev parent reply	other threads:[~2020-10-01 19:53 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-10-01 19:52 [pull request][net V2 00/15] mlx5 fixes 2020-09-30 saeed
2020-10-01 19:52 ` [net V2 01/15] net/mlx5: Don't allow health work when device is uninitialized saeed
2020-10-01 23:15   ` Jakub Kicinski
2020-10-02 16:57     ` Saeed Mahameed
2020-10-01 19:52 ` [net V2 02/15] net/mlx5: Fix a race when moving command interface to polling mode saeed
2020-10-01 19:52 ` [net V2 03/15] net/mlx5: Avoid possible free of command entry while timeout comp handler saeed
2020-10-01 19:52 ` [net V2 04/15] net/mlx5: poll cmd EQ in case of command timeout saeed
2020-10-01 19:52 ` [net V2 05/15] net/mlx5: Add retry mechanism to the command entry index allocation saeed
2020-10-01 23:23   ` Jakub Kicinski
2020-10-02 17:03     ` Saeed Mahameed
2020-10-01 19:52 ` [net V2 06/15] net/mlx5: cmdif, Avoid skipping reclaim pages if FW is not accessible saeed
2020-10-01 19:52 ` [net V2 07/15] net/mlx5: Fix request_irqs error flow saeed
2020-10-01 23:24   ` Jakub Kicinski
2020-10-02 17:05     ` Saeed Mahameed
2020-10-02 17:19       ` Mark Bloch
2020-10-02 17:27         ` Saeed Mahameed
2020-10-01 19:52 ` [net V2 08/15] net/mlx5e: Fix error path for RQ alloc saeed
2020-10-01 19:52 ` [net V2 09/15] net/mlx5e: Add resiliency in Striding RQ mode for packets larger than MTU saeed
2020-10-01 23:27   ` Jakub Kicinski
2020-10-02 17:06     ` Saeed Mahameed
2020-10-01 19:52 ` saeed [this message]
2020-10-01 19:52 ` [net V2 11/15] net/mlx5e: Fix driver's declaration to support GRE offload saeed
2020-10-01 19:52 ` [net V2 12/15] net/mlx5e: Fix return status when setting unsupported FEC mode saeed
2020-10-01 19:52 ` [net V2 13/15] net/mlx5e: Fix VLAN cleanup flow saeed
2020-10-01 19:52 ` [net V2 14/15] net/mlx5e: Fix VLAN create flow saeed
2020-10-01 19:52 ` [net V2 15/15] net/mlx5e: Fix race condition on nhe->n pointer in neigh update saeed

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:bc5f72ec362 dfblob:a8be40cbe32 )
 OR (
bs:"[net V2 10/15] net/mlx5e: CT, Fix coverity issue" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20201001195247.66636-11-saeed@kernel.org \
    --to=saeed@kernel.org \
    --cc=davem@davemloft.net \
    --cc=kuba@kernel.org \
    --cc=maord@nvidia.com \
    --cc=netdev@vger.kernel.org \
    --cc=roid@nvidia.com \
    --cc=saeedm@nvidia.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.