ipsec: fix coverity warnings found in fast path implementation

This patch fixes followig coverity issues:
CID 274739 Out-of-bounds read
CID 274746 Out-of-bounds access
CID 274748 Out-of-bounds read

Type: fix
Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com>
Change-Id: I9bb6741f100a9414a5a15278ffa49b31ccd7994f

diff --git a/src/vnet/ipsec/ipsec_spd_fp_lookup.h b/src/vnet/ipsec/ipsec_spd_fp_lookup.h
index 912e18a..3aea86f 100644 (file)
--- a/src/vnet/ipsec/ipsec_spd_fp_lookup.h
+++ b/src/vnet/ipsec/ipsec_spd_fp_lookup.h
@@ -140,8 +140,8 @@ ipsec_fp_ip6_out_policy_match_n (void *spd_fp, ipsec_fp_5tuple_t *tuples,
        {
          mte = im->fp_mask_types + *mti;
 
-         pmatch = (u64 *) &match->ip6_laddr;
-         pmask = (u64 *) &mte->mask.ip6_laddr;
+         pmatch = (u64 *) match->kv_40_8.key;
+         pmask = (u64 *) mte->mask.kv_40_8.key;
          pkey = (u64 *) kv.key;
 
          *pkey++ = *pmatch++ & *pmask++;
@@ -241,12 +241,12 @@ ipsec_fp_ip4_out_policy_match_n (void *spd_fp, ipsec_fp_5tuple_t *tuples,
        {
          mte = im->fp_mask_types + *mti;
 
-         pmatch = (u64 *) &match->laddr;
-         pmask = (u64 *) &mte->mask.laddr;
+         pmatch = (u64 *) match->kv_16_8.key;
+         pmask = (u64 *) mte->mask.kv_16_8.key;
          pkey = (u64 *) kv.key;
 
          *pkey++ = *pmatch++ & *pmask++;
-         *pkey++ = *pmatch++ & *pmask++;
+         *pkey = *pmatch & *pmask;
 
          int res = clib_bihash_search_inline_2_16_8 (
            &pspd_fp->fp_ip4_lookup_hash, &kv, &result);

diff --git a/src/vnet/ipsec/ipsec_spd_policy.c b/src/vnet/ipsec/ipsec_spd_policy.c
index b198c20..1334491 100644 (file)
--- a/src/vnet/ipsec/ipsec_spd_policy.c
+++ b/src/vnet/ipsec/ipsec_spd_policy.c
@@ -252,9 +252,9 @@ fill_ip6_hash_policy_kv (ipsec_fp_5tuple_t *match, ipsec_fp_5tuple_t *mask,
                         clib_bihash_kv_40_8_t *kv)
 {
   ipsec_fp_lookup_value_t *kv_val = (ipsec_fp_lookup_value_t *) &kv->value;
-  u64 *pmatch = (u64 *) &match->ip6_laddr;
-  u64 *pmask = (u64 *) &mask->ip6_laddr;
-  u64 *pkey = (u64 *) &kv->key;
+  u64 *pmatch = (u64 *) match->kv_40_8.key;
+  u64 *pmask = (u64 *) mask->kv_40_8.key;
+  u64 *pkey = (u64 *) kv->key;
 
   *pkey++ = *pmatch++ & *pmask++;
   *pkey++ = *pmatch++ & *pmask++;
@@ -270,12 +270,12 @@ fill_ip4_hash_policy_kv (ipsec_fp_5tuple_t *match, ipsec_fp_5tuple_t *mask,
                         clib_bihash_kv_16_8_t *kv)
 {
   ipsec_fp_lookup_value_t *kv_val = (ipsec_fp_lookup_value_t *) &kv->value;
-  u64 *pmatch = (u64 *) &match->laddr;
-  u64 *pmask = (u64 *) &mask->laddr;
+  u64 *pmatch = (u64 *) match->kv_16_8.key;
+  u64 *pmask = (u64 *) mask->kv_16_8.key;
   u64 *pkey = (u64 *) kv->key;
 
   *pkey++ = *pmatch++ & *pmask++;
-  *pkey++ = *pmatch++ & *pmask++;
+  *pkey = *pmatch & *pmask;
 
   kv_val->as_u64 = 0;
 }
@@ -349,8 +349,9 @@ ipsec_fp_ip4_get_policy_mask (ipsec_policy_t *policy, ipsec_fp_5tuple_t *mask)
   u32 *praddr_stop = (u32 *) &policy->raddr.stop.ip4;
   u32 *prmask = (u32 *) &mask->raddr;
 
-  memset (mask, 0, sizeof (mask->l3_zero_pad));
-  memset (plmask, 0xff, sizeof (*mask) - sizeof (mask->l3_zero_pad));
+  clib_memset_u8 (mask, 0xff, sizeof (ipsec_fp_5tuple_t));
+  clib_memset_u8 (&mask->l3_zero_pad, 0, sizeof (mask->l3_zero_pad));
+
   /* find bits where start != stop */
   *plmask = *pladdr_start ^ *pladdr_stop;
   *prmask = *praddr_start ^ *praddr_stop;
@@ -397,7 +398,7 @@ ipsec_fp_ip6_get_policy_mask (ipsec_policy_t *policy, ipsec_fp_5tuple_t *mask)
   u64 *praddr_stop = (u64 *) &policy->raddr.stop;
   u64 *prmask = (u64 *) &mask->ip6_raddr;
 
-  memset (mask, 0xff, sizeof (ipsec_fp_5tuple_t));
+  clib_memset_u8 (mask, 0xff, sizeof (ipsec_fp_5tuple_t));
 
   *plmask = (*pladdr_start++ ^ *pladdr_stop++);