net: ipv6_fragment: fix shift_packets() algorithm

vaussard · cfriedt · commit c66b4288e037 · 2021-09-23T13:21:09.000-04:00
The purpose of shift_packets() is to make room to insert one fragment in
the list. This is not what it does currently, potentially leading to
-ENOMEM even if there is enough free room.

To see the current behaviour, let's assume that we receive 3 fragments
in reverse order:
- Frag3(offset = 0x40, M=0)
- Frag2(offset = 0x20, M=1)
- Frag1(offset = 0x00, M=1)

After receiving Frag3 and Frag2, pkt[] will look like:

  .-------.-------.-------.
  | Frag2 | Frag3 | NULL  |
  | 0x20  | 0x40  |       |
  '-------'-------'-------'
    pkt[0]  pkt[1]  pkt[2]

When receiving Frag1, shift_packets(pos = 0) is called to make some room
at position 0. It will iterate up to i = 2 where there is a free
element. The current algorithm will try to shift pkt[0] to pkt[2], which
is indeed impossible but also unnecessary. It is only required to shift
pkt[0] and pkt[1] by one element in order to free pkt[0] to insert
Frag1.

Update the algorithm in order to shift the memory only by one element.
As a result, the ENOMEM test is only simpler: as long as we encounter
one free element, we are guaranteed that we can shift by one element.
Also assign a NULL value to the newly freed element since memmove() only
copy bytes.

Signed-off-by: Florian Vaussard &lt;florian.vaussard@gmail.com&gt;
diff --git a/subsys/net/ip/ipv6_fragment.c b/subsys/net/ip/ipv6_fragment.c
@@ -432,24 +432,23 @@ static int shift_packets(struct net_ipv6_reassembly *reass, int pos)
 			NET_DBG("Moving [%d] %p (offset 0x%x) to [%d]",
 				pos, reass->pkt[pos],
 				net_pkt_ipv6_fragment_offset(reass->pkt[pos]),
-				i);
+				pos + 1);
 
-			/* Do we have enough space in packet array to make
-			 * the move?
+			/* pkt[i] is free, so shift everything between
+			 * [pos] and [i - 1] by one element
 			 */
-			if (((i - pos) + 1) >
-			    (NET_IPV6_FRAGMENTS_MAX_PKT - i)) {
-				return -ENOMEM;
-			}
-
-			memmove(&reass->pkt[i], &reass->pkt[pos],
+			memmove(&reass->pkt[pos + 1], &reass->pkt[pos],
 				sizeof(void *) * (i - pos));
 
+			/* pkt[pos] is now free */
+			reass->pkt[pos] = NULL;
+
 			return 0;
 		}
 	}
 
-	return -EINVAL;
+	/* We do not have free space left in the array */
+	return -ENOMEM;
 }
 
 enum net_verdict net_ipv6_handle_fragment_hdr(struct net_pkt *pkt,
