The nix_inl_reass_inb_sa_tbl_setup() function initializes inb_sa_sz
to 1 byte, then allocates a buffer of that size. However, the buffer
is subsequently passed to roc_ow_reass_inb_sa_init() which performs:
memset(sa, 0, sizeof(struct roc_ow_ipsec_inb_sa));
This writes 808 bytes into a 1-byte allocation, causing heap corruption.
This bug was detected by GCC's -Wstringop-overflow warning when
building with LTO, which enables cross-compilation-unit inlining
and allows the compiler to track the allocation size through to
the memset call.
Fix by initializing inb_sa_sz to ROC_NIX_INL_OW_IPSEC_INB_SA_SZ,
which is the standard macro used elsewhere in this file for OW
(Sobek) inbound SA allocations.
Fixes: 75e073242acb ("common/cnxk: support reassembly with inline IPsec")
Cc: [email protected]
Signed-off-by: Stephen Hemminger <[email protected]>
---
drivers/common/cnxk/roc_nix_inl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/common/cnxk/roc_nix_inl.c
b/drivers/common/cnxk/roc_nix_inl.c
index f8be98efd5..1766f68c17 100644
--- a/drivers/common/cnxk/roc_nix_inl.c
+++ b/drivers/common/cnxk/roc_nix_inl.c
@@ -583,7 +583,7 @@ nix_inl_reass_inb_sa_tbl_setup(struct roc_nix *roc_nix)
uint64_t sa_idx_w, lenm1_max;
uint64_t res_addr_offset = 0;
uint64_t def_cptq = 0;
- size_t inb_sa_sz = 1;
+ size_t inb_sa_sz = ROC_NIX_INL_OW_IPSEC_INB_SA_SZ;
uint8_t profile_id;
struct mbox *mbox;
void *sa;
--
2.51.0
