aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPiotr Bronowski <piotrx.bronowski@intel.com>2022-07-18 16:45:22 +0000
committerFan Zhang <roy.fan.zhang@intel.com>2022-08-02 10:15:43 +0000
commit818806062cd36a816fd778c6993d20d442d3d3ac (patch)
tree4fbc5915ae288d78f78963f1660a23b87aca43fe
parent69977d2398478c4ba45317e25b760587b6be5c9e (diff)
ipsec: fix coverity warnings found in fast path implementation
This patch fixes followig coverity issues: CID 274739 Out-of-bounds read CID 274746 Out-of-bounds access CID 274748 Out-of-bounds read Type: fix Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com> Change-Id: I9bb6741f100a9414a5a15278ffa49b31ccd7994f
-rw-r--r--src/vnet/ipsec/ipsec_spd_fp_lookup.h10
-rw-r--r--src/vnet/ipsec/ipsec_spd_policy.c19
2 files changed, 15 insertions, 14 deletions
diff --git a/src/vnet/ipsec/ipsec_spd_fp_lookup.h b/src/vnet/ipsec/ipsec_spd_fp_lookup.h
index 912e18a3f8a..3aea86f70a0 100644
--- a/src/vnet/ipsec/ipsec_spd_fp_lookup.h
+++ b/src/vnet/ipsec/ipsec_spd_fp_lookup.h
@@ -140,8 +140,8 @@ ipsec_fp_ip6_out_policy_match_n (void *spd_fp, ipsec_fp_5tuple_t *tuples,
{
mte = im->fp_mask_types + *mti;
- pmatch = (u64 *) &match->ip6_laddr;
- pmask = (u64 *) &mte->mask.ip6_laddr;
+ pmatch = (u64 *) match->kv_40_8.key;
+ pmask = (u64 *) mte->mask.kv_40_8.key;
pkey = (u64 *) kv.key;
*pkey++ = *pmatch++ & *pmask++;
@@ -241,12 +241,12 @@ ipsec_fp_ip4_out_policy_match_n (void *spd_fp, ipsec_fp_5tuple_t *tuples,
{
mte = im->fp_mask_types + *mti;
- pmatch = (u64 *) &match->laddr;
- pmask = (u64 *) &mte->mask.laddr;
+ pmatch = (u64 *) match->kv_16_8.key;
+ pmask = (u64 *) mte->mask.kv_16_8.key;
pkey = (u64 *) kv.key;
*pkey++ = *pmatch++ & *pmask++;
- *pkey++ = *pmatch++ & *pmask++;
+ *pkey = *pmatch & *pmask;
int res = clib_bihash_search_inline_2_16_8 (
&pspd_fp->fp_ip4_lookup_hash, &kv, &result);
diff --git a/src/vnet/ipsec/ipsec_spd_policy.c b/src/vnet/ipsec/ipsec_spd_policy.c
index b198c205510..1334491b228 100644
--- a/src/vnet/ipsec/ipsec_spd_policy.c
+++ b/src/vnet/ipsec/ipsec_spd_policy.c
@@ -252,9 +252,9 @@ fill_ip6_hash_policy_kv (ipsec_fp_5tuple_t *match, ipsec_fp_5tuple_t *mask,
clib_bihash_kv_40_8_t *kv)
{
ipsec_fp_lookup_value_t *kv_val = (ipsec_fp_lookup_value_t *) &kv->value;
- u64 *pmatch = (u64 *) &match->ip6_laddr;
- u64 *pmask = (u64 *) &mask->ip6_laddr;
- u64 *pkey = (u64 *) &kv->key;
+ u64 *pmatch = (u64 *) match->kv_40_8.key;
+ u64 *pmask = (u64 *) mask->kv_40_8.key;
+ u64 *pkey = (u64 *) kv->key;
*pkey++ = *pmatch++ & *pmask++;
*pkey++ = *pmatch++ & *pmask++;
@@ -270,12 +270,12 @@ fill_ip4_hash_policy_kv (ipsec_fp_5tuple_t *match, ipsec_fp_5tuple_t *mask,
clib_bihash_kv_16_8_t *kv)
{
ipsec_fp_lookup_value_t *kv_val = (ipsec_fp_lookup_value_t *) &kv->value;
- u64 *pmatch = (u64 *) &match->laddr;
- u64 *pmask = (u64 *) &mask->laddr;
+ u64 *pmatch = (u64 *) match->kv_16_8.key;
+ u64 *pmask = (u64 *) mask->kv_16_8.key;
u64 *pkey = (u64 *) kv->key;
*pkey++ = *pmatch++ & *pmask++;
- *pkey++ = *pmatch++ & *pmask++;
+ *pkey = *pmatch & *pmask;
kv_val->as_u64 = 0;
}
@@ -349,8 +349,9 @@ ipsec_fp_ip4_get_policy_mask (ipsec_policy_t *policy, ipsec_fp_5tuple_t *mask)
u32 *praddr_stop = (u32 *) &policy->raddr.stop.ip4;
u32 *prmask = (u32 *) &mask->raddr;
- memset (mask, 0, sizeof (mask->l3_zero_pad));
- memset (plmask, 0xff, sizeof (*mask) - sizeof (mask->l3_zero_pad));
+ clib_memset_u8 (mask, 0xff, sizeof (ipsec_fp_5tuple_t));
+ clib_memset_u8 (&mask->l3_zero_pad, 0, sizeof (mask->l3_zero_pad));
+
/* find bits where start != stop */
*plmask = *pladdr_start ^ *pladdr_stop;
*prmask = *praddr_start ^ *praddr_stop;
@@ -397,7 +398,7 @@ ipsec_fp_ip6_get_policy_mask (ipsec_policy_t *policy, ipsec_fp_5tuple_t *mask)
u64 *praddr_stop = (u64 *) &policy->raddr.stop;
u64 *prmask = (u64 *) &mask->ip6_raddr;
- memset (mask, 0xff, sizeof (ipsec_fp_5tuple_t));
+ clib_memset_u8 (mask, 0xff, sizeof (ipsec_fp_5tuple_t));
*plmask = (*pladdr_start++ ^ *pladdr_stop++);