From 5ff5d55291d2223c65f889b8eee446b8ed2c551c Mon Sep 17 00:00:00 2001 From: David Gibson Date: Thu, 12 Sep 2024 16:59:40 +1000 Subject: tcp: Avoid overlapping memcpy() in DUP_ACK handling When handling the DUP_ACK flag, we copy all the buffers making up the ack frame. However, all our frames share the same buffer for the Ethernet header (tcp4_eth_src or tcp6_eth_src), so copying the TCP_IOV_ETH will result in a (perfectly) overlapping memcpy(). This seems to have been harmless so far, but overlapping ranges to memcpy() is undefined behaviour, so we really should avoid it. Signed-off-by: David Gibson Signed-off-by: Stefano Brivio --- tcp_buf.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/tcp_buf.c b/tcp_buf.c index 2e044b2..1a39846 100644 --- a/tcp_buf.c +++ b/tcp_buf.c @@ -332,9 +332,13 @@ int tcp_buf_send_flag(struct ctx *c, struct tcp_tap_conn *conn, int flags) else dup_iov = tcp6_l2_flags_iov[tcp6_flags_used++]; - for (i = 0; i < TCP_NUM_IOVS; i++) - memcpy(dup_iov[i].iov_base, iov[i].iov_base, - iov[i].iov_len); + for (i = 0; i < TCP_NUM_IOVS; i++) { + /* All frames share the same ethernet header buffer */ + if (i != TCP_IOV_ETH) { + memcpy(dup_iov[i].iov_base, iov[i].iov_base, + iov[i].iov_len); + } + } dup_iov[TCP_IOV_PAYLOAD].iov_len = iov[TCP_IOV_PAYLOAD].iov_len; } -- cgit v1.2.3