Coverity reports an out-of-bounds access warning (CID 278397) in the
commit_encap_decap_action() function for the PT_NSH case.
The code uses memcpy to copy fields from dl_dst onwards:
memcpy(&base_flow->dl_dst, &flow->dl_dst,
sizeof(*flow) - offsetof(struct flow, dl_dst));
Coverity sees &base_flow->dl_dst as a pointer to a 6-byte struct
eth_addr and flags the ~200-byte memcpy as buffer overflow. While
this works in practice (dl_dst is followed by other struct fields),
it's fragile and confusing to static analyzers because we're treating
a member pointer as if it points to a larger memory region.
Fix this by using byte-level pointer arithmetic on the structs
themselves rather than on the member. This makes it explicit that
we're copying from an offset within the struct to the end of the
struct, which is clearer to both humans and static analyzers.
Fixes: 1fc11c5948cf ("Generic encap and decap support for NSH")
Signed-off-by: Eelco Chaudron <[email protected]>
---
lib/odp-util.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lib/odp-util.c b/lib/odp-util.c
index b152a6bcf..e293388d2 100644
--- a/lib/odp-util.c
+++ b/lib/odp-util.c
@@ -8799,7 +8799,8 @@ commit_encap_decap_action(const struct flow *flow,
odp_put_push_nsh_action(odp_actions, flow, encap_data);
base_flow->packet_type = flow->packet_type;
/* Update all packet headers in base_flow. */
- memcpy(&base_flow->dl_dst, &flow->dl_dst,
+ memcpy((char *) base_flow + offsetof(struct flow, dl_dst),
+ (const char *) flow + offsetof(struct flow, dl_dst),
sizeof(*flow) - offsetof(struct flow, dl_dst));
break;
case PT_MPLS:
--
2.52.0
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
