From 818806062cd36a816fd778c6993d20d442d3d3ac Mon Sep 17 00:00:00 2001 From: Piotr Bronowski Date: Mon, 18 Jul 2022 16:45:22 +0000 Subject: ipsec: fix coverity warnings found in fast path implementation This patch fixes followig coverity issues: CID 274739 Out-of-bounds read CID 274746 Out-of-bounds access CID 274748 Out-of-bounds read Type: fix Signed-off-by: Piotr Bronowski Change-Id: I9bb6741f100a9414a5a15278ffa49b31ccd7994f --- src/vnet/ipsec/ipsec_spd_fp_lookup.h | 10 +++++----- src/vnet/ipsec/ipsec_spd_policy.c | 19 ++++++++++--------- 2 files changed, 15 insertions(+), 14 deletions(-) (limited to 'src/vnet/ipsec') diff --git a/src/vnet/ipsec/ipsec_spd_fp_lookup.h b/src/vnet/ipsec/ipsec_spd_fp_lookup.h index 912e18a3f8a..3aea86f70a0 100644 --- a/src/vnet/ipsec/ipsec_spd_fp_lookup.h +++ b/src/vnet/ipsec/ipsec_spd_fp_lookup.h @@ -140,8 +140,8 @@ ipsec_fp_ip6_out_policy_match_n (void *spd_fp, ipsec_fp_5tuple_t *tuples, { mte = im->fp_mask_types + *mti; - pmatch = (u64 *) &match->ip6_laddr; - pmask = (u64 *) &mte->mask.ip6_laddr; + pmatch = (u64 *) match->kv_40_8.key; + pmask = (u64 *) mte->mask.kv_40_8.key; pkey = (u64 *) kv.key; *pkey++ = *pmatch++ & *pmask++; @@ -241,12 +241,12 @@ ipsec_fp_ip4_out_policy_match_n (void *spd_fp, ipsec_fp_5tuple_t *tuples, { mte = im->fp_mask_types + *mti; - pmatch = (u64 *) &match->laddr; - pmask = (u64 *) &mte->mask.laddr; + pmatch = (u64 *) match->kv_16_8.key; + pmask = (u64 *) mte->mask.kv_16_8.key; pkey = (u64 *) kv.key; *pkey++ = *pmatch++ & *pmask++; - *pkey++ = *pmatch++ & *pmask++; + *pkey = *pmatch & *pmask; int res = clib_bihash_search_inline_2_16_8 ( &pspd_fp->fp_ip4_lookup_hash, &kv, &result); diff --git a/src/vnet/ipsec/ipsec_spd_policy.c b/src/vnet/ipsec/ipsec_spd_policy.c index b198c205510..1334491b228 100644 --- a/src/vnet/ipsec/ipsec_spd_policy.c +++ b/src/vnet/ipsec/ipsec_spd_policy.c @@ -252,9 +252,9 @@ fill_ip6_hash_policy_kv (ipsec_fp_5tuple_t *match, ipsec_fp_5tuple_t *mask, clib_bihash_kv_40_8_t *kv) { ipsec_fp_lookup_value_t *kv_val = (ipsec_fp_lookup_value_t *) &kv->value; - u64 *pmatch = (u64 *) &match->ip6_laddr; - u64 *pmask = (u64 *) &mask->ip6_laddr; - u64 *pkey = (u64 *) &kv->key; + u64 *pmatch = (u64 *) match->kv_40_8.key; + u64 *pmask = (u64 *) mask->kv_40_8.key; + u64 *pkey = (u64 *) kv->key; *pkey++ = *pmatch++ & *pmask++; *pkey++ = *pmatch++ & *pmask++; @@ -270,12 +270,12 @@ fill_ip4_hash_policy_kv (ipsec_fp_5tuple_t *match, ipsec_fp_5tuple_t *mask, clib_bihash_kv_16_8_t *kv) { ipsec_fp_lookup_value_t *kv_val = (ipsec_fp_lookup_value_t *) &kv->value; - u64 *pmatch = (u64 *) &match->laddr; - u64 *pmask = (u64 *) &mask->laddr; + u64 *pmatch = (u64 *) match->kv_16_8.key; + u64 *pmask = (u64 *) mask->kv_16_8.key; u64 *pkey = (u64 *) kv->key; *pkey++ = *pmatch++ & *pmask++; - *pkey++ = *pmatch++ & *pmask++; + *pkey = *pmatch & *pmask; kv_val->as_u64 = 0; } @@ -349,8 +349,9 @@ ipsec_fp_ip4_get_policy_mask (ipsec_policy_t *policy, ipsec_fp_5tuple_t *mask) u32 *praddr_stop = (u32 *) &policy->raddr.stop.ip4; u32 *prmask = (u32 *) &mask->raddr; - memset (mask, 0, sizeof (mask->l3_zero_pad)); - memset (plmask, 0xff, sizeof (*mask) - sizeof (mask->l3_zero_pad)); + clib_memset_u8 (mask, 0xff, sizeof (ipsec_fp_5tuple_t)); + clib_memset_u8 (&mask->l3_zero_pad, 0, sizeof (mask->l3_zero_pad)); + /* find bits where start != stop */ *plmask = *pladdr_start ^ *pladdr_stop; *prmask = *praddr_start ^ *praddr_stop; @@ -397,7 +398,7 @@ ipsec_fp_ip6_get_policy_mask (ipsec_policy_t *policy, ipsec_fp_5tuple_t *mask) u64 *praddr_stop = (u64 *) &policy->raddr.stop; u64 *prmask = (u64 *) &mask->ip6_raddr; - memset (mask, 0xff, sizeof (ipsec_fp_5tuple_t)); + clib_memset_u8 (mask, 0xff, sizeof (ipsec_fp_5tuple_t)); *plmask = (*pladdr_start++ ^ *pladdr_stop++); -- cgit 1.2.3-korg