tcp: Avoid overlapping memcpy() in DUP_ACK handling

When handling the DUP_ACK flag, we copy all the buffers making up the ack frame. However, all our frames share the same buffer for the Ethernet header (tcp4_eth_src or tcp6_eth_src), so copying the TCP_IOV_ETH will result in a (perfectly) overlapping memcpy(). This seems to have been harmless so far, but overlapping ranges to memcpy() is undefined behaviour, so we really should avoid it. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2024-09-12 16:59:40 +10:00 · 2024-09-12 16:59:40 +10:00 · 5ff5d55291
commit 5ff5d55291
parent 1f414ed8f0
1 changed files with 7 additions and 3 deletions
--- a/tcp_buf.c
+++ b/tcp_buf.c
@ -332,9 +332,13 @@ int tcp_buf_send_flag(struct ctx *c, struct tcp_tap_conn *conn, int flags)
 		else
 			dup_iov = tcp6_l2_flags_iov[tcp6_flags_used++];

-		for (i = 0; i < TCP_NUM_IOVS; i++)
-			memcpy(dup_iov[i].iov_base, iov[i].iov_base,
-			       iov[i].iov_len);
+		for (i = 0; i < TCP_NUM_IOVS; i++) {
+			/* All frames share the same ethernet header buffer */
+			if (i != TCP_IOV_ETH) {
+				memcpy(dup_iov[i].iov_base, iov[i].iov_base,
+				       iov[i].iov_len);
+			}
+		}
 		dup_iov[TCP_IOV_PAYLOAD].iov_len = iov[TCP_IOV_PAYLOAD].iov_len;
 	}