From d5b80ccc72ed36367ac327748be66323c858ad5d Mon Sep 17 00:00:00 2001 From: David Gibson Date: Sat, 24 Sep 2022 19:08:22 +1000 Subject: Fix widespread off-by-one error dealing with port numbers Port numbers (for both TCP and UDP) are 16-bit, and so fit exactly into a 'short'. USHRT_MAX is therefore the maximum port number and this is widely used in the code. Unfortunately, a lot of those places don't actually want the maximum port number (USHRT_MAX == 65535), they want the total number of ports (65536). This leads to a number of potentially nasty consequences: * We have buffer overruns on the port_fwd::delta array if we try to use port 65535 * We have similar potential overruns for the tcp_sock_* arrays * Interestingly udp_act had the correct size, but we can calculate it in a more direct manner * We have a logical overrun of the ports bitmap as well, although it will just use an unused bit in the last byte so isnt harmful * Many loops don't consider port 65535 (which does mitigate some but not all of the buffer overruns above) * In udp_invert_portmap() we incorrectly compute the reverse port translation for return packets Correct all these by using a new NUM_PORTS defined explicitly for this purpose. Signed-off-by: David Gibson --- conf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'conf.c') diff --git a/conf.c b/conf.c index 4e86508..993f840 100644 --- a/conf.c +++ b/conf.c @@ -209,7 +209,7 @@ static int conf_ports(const struct ctx *c, char optname, const char *optarg, if (sep == p) break; - if (port > USHRT_MAX || errno) + if (port >= NUM_PORTS || errno) goto bad; switch (*sep) { @@ -276,7 +276,7 @@ static int conf_ports(const struct ctx *c, char optname, const char *optarg, if (sep == p) break; - if (port > USHRT_MAX || errno) + if (port >= NUM_PORTS || errno) goto bad; /* -p 22 -- cgit v1.2.3