[ovs-dev] [patch v4] conntrack: Fix possibly uninitialized memory.

Tue Feb 5 00:02:15 UTC 2019

There are a few cases where struct 'conn_key' padding may be unspecified
according to the C standard.  Practically, it seems implementations don't
have issue, but it is better to be safe. The code paths modified are not
hot ones.  Fix this by doing a memcpy in these cases in lieu of a
structure copy.

Found by inspection.

Signed-off-by: Darrell Ball <dlu998 at gmail.com>
---

v4: Use memcpy as safest option (Thanks Ben) in lieu of memset zero and
    structure copy; reinstate a couple lines carelessly removed
    (Thanks Aaron).
v3: Removed an unnecessary change and limited scope of 2 others.
v2: Found another one; will double check for others later.

 lib/conntrack.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/lib/conntrack.c b/lib/conntrack.c
index e1f4041..7a03009 100644
--- a/lib/conntrack.c
+++ b/lib/conntrack.c
@@ -748,7 +748,7 @@ conn_lookup(struct conntrack *ct, const struct conn_key *key, long long now)
 {
     struct conn_lookup_ctx ctx;
     ctx.conn = NULL;
-    ctx.key = *key;
+    memcpy(&ctx.key, key, sizeof ctx.key);
     ctx.hash = conn_key_hash(key, ct->hash_basis);
     unsigned bucket = hash_to_bucket(ctx.hash);
     conn_key_lookup(&ct->buckets[bucket], &ctx, now);
@@ -905,7 +905,7 @@ conn_not_found(struct conntrack *ct, struct dp_packet *pkt,
                     nc->rev_key.src.addr = alg_exp->alg_nat_repl_addr;
                     nc->nat_info->nat_action = NAT_ACTION_DST;
                 }
-                *conn_for_un_nat_copy = *nc;
+                memcpy(conn_for_un_nat_copy, nc, sizeof *conn_for_un_nat_copy);
                 ct_rwlock_wrlock(&ct->resources_lock);
                 bool new_insert = nat_conn_keys_insert(&ct->nat_conn_keys,
                                                        conn_for_un_nat_copy,
@@ -919,7 +919,7 @@ conn_not_found(struct conntrack *ct, struct dp_packet *pkt,
                     free(log_msg);
                 }
             } else {
-                *conn_for_un_nat_copy = *nc;
+                memcpy(conn_for_un_nat_copy, nc, sizeof *conn_for_un_nat_copy);
                 ct_rwlock_wrlock(&ct->resources_lock);
                 bool nat_res = nat_select_range_tuple(ct, nc,
                                                       conn_for_un_nat_copy);
@@ -1262,7 +1262,7 @@ process_one(struct conntrack *ct, struct dp_packet *pkt,
                                      ct->hash_basis,
                                      alg_src_ip_wc(ct_alg_ctl));
         if (alg_exp) {
-            alg_exp_entry = *alg_exp;
+            memcpy(&alg_exp_entry, alg_exp, sizeof alg_exp_entry);
             alg_exp = &alg_exp_entry;
         }
         ct_rwlock_unlock(&ct->resources_lock);
@@ -2614,7 +2614,8 @@ static struct alg_exp_node *
 expectation_lookup(struct hmap *alg_expectations, const struct conn_key *key,
                    uint32_t basis, bool src_ip_wc)
 {
-    struct conn_key check_key = *key;
+    struct conn_key check_key;
+    memcpy(&check_key, key, sizeof check_key);
     check_key.src.port = ALG_WC_SRC_PORT;
 
     if (src_ip_wc) {
-- 
1.9.1

