From 47bcca2ec8b3fb21b099a4f19a260a4783068e63 Mon Sep 17 00:00:00 2001 From: Andrew Yourtchenko Date: Tue, 28 Nov 2017 22:14:16 +0100 Subject: [PATCH] acl-plugin: fix coverity 177970-177973,178891, and incorrect reset of dot1q/dot1ad classifier mask 17797[1-3] have been a false positive in the optional debug CLI argument handling, 178891 was triggered by an unnecessary use of memcpy. Also fix the issue reported by khers (thanks!) - since 178891 was in the same place. Change-Id: I3a804e2b1d25d74c11fcc389020d2c1fd69902b2 Signed-off-by: Andrew Yourtchenko --- src/plugins/acl/acl.c | 46 +++++++++++++++++++++++++++++++++------------- 1 file changed, 33 insertions(+), 13 deletions(-) diff --git a/src/plugins/acl/acl.c b/src/plugins/acl/acl.c index 2c02047ff48..dbb740abc55 100644 --- a/src/plugins/acl/acl.c +++ b/src/plugins/acl/acl.c @@ -337,8 +337,6 @@ acl_del_list (u32 acl_list_index) /* Some aids in ASCII graphing the content */ #define XX "\377" #define __ "\000" -#define DOT1AD "\210\250" -#define DOT1Q "\201\00" #define _(x) #define v /* *INDENT-OFF* */ @@ -393,15 +391,15 @@ u8 ip4_5tuple_mask[] = u8 dot1q_5tuple_mask[] = _(" dmac smac dot1q etype ") - _(ether) __ __ __ __ __ __ v __ __ __ __ __ __ v DOT1Q __ __ v XX XX v + _(ether) __ __ __ __ __ __ v __ __ __ __ __ __ v XX XX __ __ v XX XX v _(padpad) __ __ __ __ _(padpad) __ __ __ __ _(padpad) __ __ __ __ _(padeth) __ __; u8 dot1ad_5tuple_mask[] = - _(" dmac smac dot1ad etype ") - _(ether) __ __ __ __ __ __ v __ __ __ __ __ __ v DOT1AD __ __ DOT1Q __ __ v XX XX v + _(" dmac smac dot1ad dot1q etype ") + _(ether) __ __ __ __ __ __ v __ __ __ __ __ __ v XX XX __ __ XX XX __ __ v XX XX v _(padpad) __ __ __ __ _(padpad) __ __ __ __ _(padeth) __ __; @@ -409,8 +407,6 @@ u8 ip4_5tuple_mask[] = /* *INDENT-ON* */ #undef XX #undef __ -#undef DOT1AD -#undef DOT1Q #undef _ #undef v @@ -639,6 +635,21 @@ acl_add_vlan_session (acl_main_t * am, u32 table_index, u8 is_output, } match = (is_dot1ad) ? dot1ad_5tuple_mask : dot1q_5tuple_mask; idx = (is_dot1ad) ? 20 : 16; + if (is_dot1ad) + { + /* 802.1ad ethertype */ + match[12] = 0x88; + match[13] = 0xa8; + /* 802.1q ethertype */ + match[16] = 0x81; + match[17] = 0x00; + } + else + { + /* 802.1q ethertype */ + match[12] = 0x81; + match[13] = 0x00; + } /* add sessions to vlan tables per ethernet_type */ if (is_ip6) @@ -655,7 +666,16 @@ acl_add_vlan_session (acl_main_t * am, u32 table_index, u8 is_output, } vnet_classify_add_del_session (cm, table_index, match, next_acl, session_idx, 0, 0, 0, 1); - memset (&match[idx], 0x00, 2); + /* reset the mask back to being a mask */ + match[idx] = 0xff; + match[idx + 1] = 0xff; + match[12] = 0xff; + match[13] = 0xff; + if (is_dot1ad) + { + match[16] = 0xff; + match[17] = 0xff; + } } static int @@ -2717,7 +2737,7 @@ acl_show_aclplugin_acl_fn (vlib_main_t * vm, acl_main_t *am = &acl_main; u32 acl_index = ~0; - unformat (input, "index %u", &acl_index); + (void) unformat (input, "index %u", &acl_index); acl_plugin_show_acl (am, acl_index); return error; @@ -2782,7 +2802,7 @@ acl_show_aclplugin_interface_fn (vlib_main_t * vm, acl_main_t *am = &acl_main; u32 sw_if_index = ~0; - unformat (input, "sw_if_index %u", &sw_if_index); + (void) unformat (input, "sw_if_index %u", &sw_if_index); int show_acl = unformat (input, "acl"); acl_plugin_show_interface (am, sw_if_index, show_acl); @@ -2964,9 +2984,9 @@ acl_show_aclplugin_sessions_fn (vlib_main_t * vm, u32 show_bihash_verbose = 0; u32 show_session_thread_id = ~0; u32 show_session_session_index = ~0; - unformat (input, "thread %u index %u", &show_session_thread_id, - &show_session_session_index); - unformat (input, "verbose %u", &show_bihash_verbose); + (void) unformat (input, "thread %u index %u", &show_session_thread_id, + &show_session_session_index); + (void) unformat (input, "verbose %u", &show_bihash_verbose); acl_plugin_show_sessions (am, show_session_thread_id, show_session_session_index); -- 2.16.6