[Bug 265664] Undefined behaviour in sys/netinet/tcp_lro.h

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 265664] Undefined behaviour in sys/netinet/tcp_lro.h"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 05 Aug 2022 18:38:04 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=265664

            Bug ID: 265664
           Summary: Undefined behaviour in sys/netinet/tcp_lro.h
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: nreilly@blackberry.com

union lro_address {
        u_long raw[1];
        struct {
                uint8_t lro_type;       /* internal */
...
        };
} __aligned(sizeof(u_long));

#define LRO_RAW_ADDRESS_MAX \
    (sizeof(union lro_address) / sizeof(u_long))

There are then a number of functions both in tcp_lro.h and tcp_lro.c that do
things like:

for (unsigned i = 0; i < LRO_RAW_ADDRESS_MAX; i++) {
                if (pa->raw[i] != pb->raw[i])

This is undefined behaviour.

Either the member "raw" should be removed and the iteration over the structure
rewritten, or the definition should be improved so that the array size actually
encompasses the entire struct.

-- 
You are receiving this mail because:
You are the assignee for the bug.