[ovs-dev] [PATCH] flow: Fix buffer overread in flow_hash_symmetric_l3l4().
Justin Pettit
jpettit.ovn at gmail.com
Fri Jun 2 00:48:05 UTC 2017
> On Jun 1, 2017, at 4:48 PM, Ben Pfaff <blp at ovn.org> wrote:
>
>> On Thu, Jun 01, 2017 at 04:18:40PM -0700, Justin Pettit wrote:
>>
>>> On May 26, 2017, at 4:46 PM, Ben Pfaff <blp at ovn.org> wrote:
>>>
>>> IPv6 addresses have 2 64-bit parts, but this code thought they have 4.
>>>
>>> Found by Coverity.
>>>
>>> Reported-at: https://scan3.coverity.com/reports.htm#v16889/p10449/fileInstanceId=14762918&defectInstanceId=4304099&mergedDefectId=179866
>>> Signed-off-by: Ben Pfaff <blp at ovn.org>
>>> ---
>>> lib/flow.c | 2 +-
>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/lib/flow.c b/lib/flow.c
>>> index 7f98a46ae737..52e10084bbee 100644
>>> --- a/lib/flow.c
>>> +++ b/lib/flow.c
>>> @@ -1928,7 +1928,7 @@ flow_hash_symmetric_l3l4(const struct flow *flow, uint32_t basis,
>>> const uint64_t *a = ALIGNED_CAST(uint64_t *, flow->ipv6_src.s6_addr);
>>> const uint64_t *b = ALIGNED_CAST(uint64_t *, flow->ipv6_dst.s6_addr);
>>>
>>> - for (int i = 0; i < 4; i++) {
>>> + for (int i = 0; i < 2; i++) {
>>> hash = hash_add64(hash, a[i] ^ b[i]);
>>
>> Do you think it's worth adding a comment or using sizeof? It probably won't get reverted, but I think most people think about these being "four".
>
> Thanks for the review.
>
> How about this?
>
> for (int i = 0; i < sizeof flow->ipv6_src / sizeof *a; i++) {
> hash = hash_add64(hash, a[i] ^ b[i]);
> }
Looks good. Thanks!
--Justin
More information about the dev
mailing list