From 7b56117dae0f19c176d852ec7ee1f01937a994c7 Mon Sep 17 00:00:00 2001
From: David Gibson <david@gibson.dropbear.id.au>
Date: Fri, 8 Sep 2023 11:49:47 +1000
Subject: udp, tap: Correctly advance through packets in udp_tap_handler()

In both tap4_handler() and tap6_handler(), once we've sorted incoming l3
packets into "sequences", we then step through all the packets in each DUP
sequence calling udp_tap_handler().  Or so it appears.

In fact, udp_tap_handler() doesn't take an index and always starts with
packet 0 of the sequence, even if called repeatedly.  It appears to be
written with the idea that the struct pool is a queue, from which it
consumes packets as it processes them, but that's not how the pool data
structure works.

Correct this by adding an index parameter to udp_tap_handler() and altering
the loops in tap.c to step through the pool properly.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
 tap.c | 20 ++++++++------------
 1 file changed, 8 insertions(+), 12 deletions(-)

(limited to 'tap.c')

diff --git a/tap.c b/tap.c
index 445a5ca..93db989 100644
--- a/tap.c
+++ b/tap.c
@@ -707,24 +707,22 @@ append:
 
 	for (j = 0, seq = tap4_l4; j < seq_count; j++, seq++) {
 		struct pool *p = (struct pool *)&seq->p;
+		size_t k;
 
 		tap_packet_debug(NULL, NULL, seq, 0, NULL, p->count);
 
 		if (seq->protocol == IPPROTO_TCP) {
-			size_t k;
-
 			if (c->no_tcp)
 				continue;
 			for (k = 0; k < p->count; )
 				k += tcp_tap_handler(c, AF_INET, &seq->saddr,
 						     &seq->daddr, p, k, now);
 		} else if (seq->protocol == IPPROTO_UDP) {
-			size_t n = p->count;
-
 			if (c->no_udp)
 				continue;
-			while ((n -= udp_tap_handler(c, AF_INET, &seq->saddr,
-						     &seq->daddr, p, now)));
+			for (k = 0; k < p->count; )
+				k += udp_tap_handler(c, AF_INET, &seq->saddr,
+						     &seq->daddr, p, k, now);
 		}
 	}
 
@@ -872,25 +870,23 @@ append:
 
 	for (j = 0, seq = tap6_l4; j < seq_count; j++, seq++) {
 		struct pool *p = (struct pool *)&seq->p;
+		size_t k;
 
 		tap_packet_debug(NULL, NULL, NULL, seq->protocol, seq,
 				 p->count);
 
 		if (seq->protocol == IPPROTO_TCP) {
-			size_t k;
-
 			if (c->no_tcp)
 				continue;
 			for (k = 0; k < p->count; )
 				k += tcp_tap_handler(c, AF_INET6, &seq->saddr,
 						     &seq->daddr, p, k, now);
 		} else if (seq->protocol == IPPROTO_UDP) {
-			size_t n = p->count;
-
 			if (c->no_udp)
 				continue;
-			while ((n -= udp_tap_handler(c, AF_INET6, &seq->saddr,
-						     &seq->daddr, p, now)));
+			for (k = 0; k < p->count; )
+				k += udp_tap_handler(c, AF_INET6, &seq->saddr,
+						     &seq->daddr, p, k, now);
 		}
 	}
 
-- 
cgit v1.2.3