[PATCH dpdk 2/2] net/ipv6: fix out-of-bounds read

[Robin Jarry]

Fix the following out-of-bounds read in rte_ipv6_addr_mask() reported by
Coverity:

83 static inline void
84 rte_ipv6_addr_mask(struct rte_ipv6_addr *ip, uint8_t depth)
85 {
       1. Condition depth < 128 /* 16 * 8 */, taking true branch.
       2. cond_at_most: Checking depth < 128 implies that depth may be
                        up to 127 on the true branch.
86        if (depth < RTE_IPV6_MAX_DEPTH) {
       3. assignment: Assigning: d = depth / 8.
                      The value of d may now be up to 15.
87                uint8_t d = depth / 8;
88                uint8_t mask = ~(UINT8_MAX >> (depth % 8));
89                ip->a[d] &= mask;
       4. incr: Incrementing d. The value of d may now be up to 16.
90                d++;
       CID 446754: (#1 of 1): Out-of-bounds read (OVERRUN)
       5. overrun-local: Overrunning array of 16 bytes at byte offset
                         16 by dereferencing pointer &ip->a[d].
91                memset(&ip->a[d], 0, sizeof(*ip) - d);
92        }
93 }

Use a simple loop instead of memset.

Coverity issue: 446754
Fixes: ca786def84ca ("net: add IPv6 address structure and utils")

Signed-off-by: Robin Jarry <rjarry at redhat.com>
---
 lib/net/rte_ip6.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/net/rte_ip6.h b/lib/net/rte_ip6.h
index c015c977573d..3843fb7c2fd6 100644
--- a/lib/net/rte_ip6.h
+++ b/lib/net/rte_ip6.h
@@ -88,7 +88,8 @@ rte_ipv6_addr_mask(struct rte_ipv6_addr *ip, uint8_t depth)
 		uint8_t mask = ~(UINT8_MAX >> (depth % CHAR_BIT));
 		ip->a[d] &= mask;
 		d++;
-		memset(&ip->a[d], 0, sizeof(*ip) - d);
+		while (d < sizeof(*ip))
+			ip->a[d++] = 0;
 	}
 }
 
-- 
2.47.0