[ovs-dev] [PATCH] netdev-offload-dpdk: fix a crash in dump_flow_attr()

Sriharsha Basavapatna sriharsha.basavapatna at broadcom.com
Wed Aug 11 05:05:15 UTC 2021 

On Wed, Aug 11, 2021 at 6:21 AM Gaëtan Rivet <grive at u256.net> wrote:
>
> On Wed, Aug 4, 2021, at 14:37, Sriharsha Basavapatna via dev wrote:
> > In netdev_offload_dpdk_flow_create() when an offload request fails,
> > dump_flow() is called to log a warning message. The 's_tnl' string
> > in flow_patterns gets initialized in vport_to_rte_tunnel() conditionally
> > via ds_put_format(). If it is not initialized, it crashes later in
> > dump_flow_attr()->ds_clone()->memcpy() while dereferencing this string.
> >
> > Fix this by initializing s_tnl using ds_cstr(). Fix a similar
> > issue with actions->s_tnl.
> >
> > Signed-off-by: Sriharsha Basavapatna <sriharsha.basavapatna at broadcom.com>
>
> Hello Harsha,
>
> Thanks for the fix. I have a remark below.

Thanks Gaetan, please see my response inline.

>
> > ---
> >  lib/netdev-offload-dpdk.c | 4 ++++
> >  1 file changed, 4 insertions(+)
> >
> > diff --git a/lib/netdev-offload-dpdk.c b/lib/netdev-offload-dpdk.c
> > index f6706ee0c..243e2c430 100644
> > --- a/lib/netdev-offload-dpdk.c
> > +++ b/lib/netdev-offload-dpdk.c
> > @@ -788,6 +788,7 @@ free_flow_patterns(struct flow_patterns *patterns)
> >              free(CONST_CAST(void *, patterns->items[i].mask));
> >          }
> >      }
> > +    ds_destroy(&patterns->s_tnl);
> >      free(patterns->items);
> >      patterns->items = NULL;
> >      patterns->cnt = 0;
> > @@ -1334,6 +1335,7 @@ netdev_offload_dpdk_mark_rss(struct flow_patterns
> > *patterns,
> >      struct rte_flow_error error;
> >      struct rte_flow *flow;
> >
> > +    ds_cstr(&actions.s_tnl);
>
> You are forced to use 'ds_cstr' because 'ds_clone' crashes on properly initialized
> ds. I think this is an issue with 'ds_clone'.
>
> I would expect all ds_ functions to work with strings that were initialized with
> 'ds_init' or set to 'DS_EMPTY_INITIALIZER'.
>
> In this case, I think it's better to use .s_tnl = DS_EMPTY_INITIALIZER in the actions
> initializer list and have a fix for 'ds_clone' so that it won't crash with correct strings.

Are you suggesting something like this in ds_clone():

if (source->string)
     memcpy(dst->string, source->string, dst->allocated + 1);

I suspect that's inconsistent with other functions in the ds library.
The expectation seems to be that callers initialize their strings with
a call to ds_cstr() before using a ds string.

Here's the comments from the header file for reference:

 * The 'string' member does not always point to a null-terminated string.
 * Initially it is NULL, and even when it is nonnull, some operations do not
 * ensure that it is null-terminated.  Use ds_cstr() to ensure that memory is
 * allocated for the string and that it is null-terminated. */
struct ds {
    char *string;       /* Null-terminated string. */

Let me know what you think.

Thanks,
-Harsha
>
> --
> Gaetan Rivet

-- 
This electronic communication and the information and any files transmitted 
with it, or attached to it, are confidential and are intended solely for 
the use of the individual or entity to whom it is addressed and may contain 
information that is confidential, legally privileged, protected by privacy 
laws, or otherwise restricted from disclosure to anyone else. If you are 
not the intended recipient or the person responsible for delivering the 
e-mail to the intended recipient, you are hereby notified that any use, 
copying, distributing, dissemination, forwarding, printing, or copying of 
this e-mail is strictly prohibited. If you received this e-mail in error, 
please return the e-mail to the sender, delete it from your computer, and 
destroy any printed copy of it.

More information about the dev mailing list