From: Ole Troan <ot@cisco.com>
Date: Tue, 11 Jan 2022 15:08:23 +0000 (+0100)
Subject: ip: coverity illegal access in ip6_ext_header_walk
X-Git-Tag: v22.06-rc0~28
X-Git-Url: https://gerrit.fd.io/r/gitweb?a=commitdiff_plain;h=de3648db09b2102224eba50fe7019ee388fa26e5;p=vpp.git

ip: coverity illegal access in ip6_ext_header_walk

*** CID 243670:  Memory - illegal accesses  (OVERRUN)
/src/vnet/ip/ip6_packet.h: 713 in ip6_ext_header_walk()
CID 243670:  Memory - illegal accesses  (OVERRUN)
Overrunning array "res->eh" of 4 4-byte elements at
element index 5 (byte offset 23) using index "i" (which evaluates to 5).

Type: fix
Fixes: 03092c1
Change-Id: I27e0435cf10534f3b41e11bf7a5629b5428b0651
Signed-off-by: Ole Troan <ot@cisco.com>
---

diff --git a/src/vnet/ip/ip6_packet.h b/src/vnet/ip/ip6_packet.h
index 7f337a61be6..fecec7cdf5b 100644
--- a/src/vnet/ip/ip6_packet.h
+++ b/src/vnet/ip/ip6_packet.h
@@ -666,7 +666,7 @@ typedef struct
 } ip6_ext_hdr_chain_t;
 
 /*
- * find ipv6 extension header within ipv6 header within
+ * Find ipv6 extension header within ipv6 header within
  * whichever is smallest of buffer or IP6_EXT_HDR_MAX_DEPTH.
  * The complete header chain must be in first buffer.
  *
@@ -710,16 +710,9 @@ ip6_ext_header_walk (vlib_buffer_t *b, ip6_header_t *ip, int find_hdr_type,
       next_header = ip6_ext_next_header_s (next_proto, next_header, max_offset,
 					   &offset, &next_proto, &last);
     }
-  if (ip6_ext_hdr (res->eh[i].protocol))
-    {
-      /* Header chain is not terminated */
-      ;
-    }
   res->length = i;
   if (find_hdr_type < 0)
-    {
-      return i - 1;
-    }
+    return i - 1;
   return found != -1 ? found : i - 1;
 }