Skip to content

Commit 78959ec

Browse files
soopelsoopel
committed
Addressed the Coverity-reported UDP dequeue issue by tightening the header/payload bounds checks, switching to a safe payload pointer, and rebuilding to ensure everything still compiles—here’s the rundown.
Actions taken Guarded udp_rx_dequeue against truncated mbufs by comparing rte_pktmbuf_pkt_len(pkt) with sizeof(struct mt_udp_hdr) and bailing with EBADMSG if the headers aren’t fully present. Recomputed the payload pointer via rte_pktmbuf_mtod_offset and validated the UDP payload length against both the UDP header value and the actual bytes available in the mbuf before any rte_memcpy, preventing the out-of-bounds read. Logged richer diagnostics (using signed widths) and set errno when malformed packets are detected so callers receive a clear failure instead of silent drops.
1 parent 5770478 commit 78959ec

File tree

1 file changed

+24
-3
lines changed

1 file changed

+24
-3
lines changed

lib/src/udp/udp_main.c

Lines changed: 24 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -913,10 +913,31 @@ static ssize_t udp_rx_dequeue(struct mudp_impl* s, void* buf, size_t len, int fl
913913
s->stat_pkt_dequeue++;
914914

915915
struct mt_udp_hdr* hdr = rte_pktmbuf_mtod(pkt, struct mt_udp_hdr*);
916+
const size_t hdr_len = sizeof(*hdr);
917+
uint32_t pkt_len = rte_pktmbuf_pkt_len(pkt);
918+
919+
if (pkt_len < hdr_len) {
920+
err("%s(%d), invalid packet len %u < header len %zu\n", __func__, idx, pkt_len,
921+
hdr_len);
922+
rte_pktmbuf_free(pkt);
923+
errno = EBADMSG;
924+
return -1;
925+
}
926+
916927
struct rte_udp_hdr* udp = &hdr->udp;
917-
void* payload = &udp[1];
918-
ssize_t payload_len = ntohs(udp->dgram_len) - sizeof(*udp);
919-
dbg("%s(%d), payload_len %" PRIu64 " bytes\n", __func__, idx, payload_len);
928+
ssize_t payload_len = (ssize_t)ntohs(udp->dgram_len) - sizeof(*udp);
929+
ssize_t payload_cap = (ssize_t)pkt_len - hdr_len;
930+
931+
if (payload_len < 0 || payload_len > payload_cap) {
932+
err("%s(%d), invalid payload len %" PRId64 " (cap %" PRId64 ")\n", __func__, idx,
933+
(int64_t)payload_len, (int64_t)payload_cap);
934+
rte_pktmbuf_free(pkt);
935+
errno = EBADMSG;
936+
return -1;
937+
}
938+
939+
void* payload = rte_pktmbuf_mtod_offset(pkt, void*, hdr_len);
940+
dbg("%s(%d), payload_len %" PRId64 " bytes\n", __func__, idx, (int64_t)payload_len);
920941

921942
if (payload_len <= len) {
922943
rte_memcpy(buf, payload, payload_len);

0 commit comments

Comments
 (0)