Re: [dpdk-dev] [PATCH] rte_ether: force format string for unformat_addr

From: Aaron Conole <aconole@redhat.com>
To: Stephen Hemminger <stephen@networkplumber.org>
Cc: dev@dpdk.org, Olivier Matz <olivier.matz@6wind.com>,
	Andrew Rybchenko <arybchenko@solarflare.com>,
	Ferruh Yigit <ferruh.yigit@intel.com>,
	Michael Santana <msantana@redhat.com>
Subject: Re: [dpdk-dev] [PATCH] rte_ether: force format string for unformat_addr
Date: Wed, 10 Jul 2019 16:31:59 -0400	[thread overview]
Message-ID: <f7t5zo9oclc.fsf@dhcp-25.97.bos.redhat.com> (raw)
In-Reply-To: <20190710122756.62ec19a9@hermes.lan> (Stephen Hemminger's message of "Wed, 10 Jul 2019 12:27:56 -0700")

Stephen Hemminger <stephen@networkplumber.org> writes:

> On Wed, 10 Jul 2019 15:13:02 -0400
> Aaron Conole <aconole@redhat.com> wrote:
>
>> Stephen Hemminger <stephen@networkplumber.org> writes:
>> 
>> > On Wed, 10 Jul 2019 14:33:42 -0400
>> > Aaron Conole <aconole@redhat.com> wrote:
>> >  
>> >> rte_ether_unformation_addr is very lax in what it accepts now, including
>> >> ethernet addresses formatted ambiguously as "x:xx:x:xx:x:xx".  However,
>> >> previously this behavior was enforced via the my_ether_aton which would
>> >> fail ambiguously formatted values.
>> >> 
>> >> Reported-by: Michael Santana <msantana@redhat.com>
>> >> Fixes: 596d31092d32 ("net: add function to convert string to ethernet address")
>> >> Signed-off-by: Aaron Conole <aconole@redhat.com>
>> >> ---
>> >>  lib/librte_net/rte_ether.c | 6 ++++--
>> >>  1 file changed, 4 insertions(+), 2 deletions(-)
>> >> 
>> >> diff --git a/lib/librte_net/rte_ether.c b/lib/librte_net/rte_ether.c
>> >> index 8d040173c..4f252b813 100644
>> >> --- a/lib/librte_net/rte_ether.c
>> >> +++ b/lib/librte_net/rte_ether.c
>> >> @@ -45,7 +45,8 @@ rte_ether_unformat_addr(const char *s, struct rte_ether_addr *ea)
>> >>  	if (n == 6) {
>> >>  		/* Standard format XX:XX:XX:XX:XX:XX */
>> >>  		if (o0 > UINT8_MAX || o1 > UINT8_MAX || o2 > UINT8_MAX ||
>> >> -		    o3 > UINT8_MAX || o4 > UINT8_MAX || o5 > UINT8_MAX) {
>> >> +		    o3 > UINT8_MAX || o4 > UINT8_MAX || o5 > UINT8_MAX ||
>> >> +		    strlen(s) != RTE_ETHER_ADDR_FMT_SIZE - 1) {
>> >>  			rte_errno = ERANGE;
>> >>  			return -1;
>> >>  		}
>> >> @@ -58,7 +59,8 @@ rte_ether_unformat_addr(const char *s, struct rte_ether_addr *ea)
>> >>  		ea->addr_bytes[5] = o5;
>> >>  	} else if (n == 3) {
>> >>  		/* Support the format XXXX:XXXX:XXXX */
>> >> -		if (o0 > UINT16_MAX || o1 > UINT16_MAX || o2 > UINT16_MAX) {
>> >> +		if (o0 > UINT16_MAX || o1 > UINT16_MAX || o2 > UINT16_MAX ||
>> >> +		    strlen(s) != RTE_ETHER_ADDR_FMT_SIZE - 4) {
>> >>  			rte_errno = ERANGE;
>> >>  			return -1;
>> >>  		}  
>> >
>> > NAK
>> > Skipping leading zero should be ok. There is no need for this patch.  
>> 
>> Is it intended to skip the leading 0?  Why not the trailing 0?  I'm not
>> familiar with the format that is used here  (example - X:XX:X:XX:X)
>> 
>> It isn't described in any RFC I could find (but I only did a small
>> search).  Even in IEEE, the format is always a full octet.
>> 
>> > The current behavior is superset of what standard ether_aton accepts.  
>> 
>> Okay, but it introduces a test failure for the cmdline tests and then
>> that test will need a few lines removed for 'unsuccessful' formats.
>> 
>> ether_aton is much more rigid in the formats it accepts, so the test
>> case is enforcing that.  I guess either the current behavior of this
>> function changes (and since it is a new behavior of the cmdline parser,
>> I would think it should be changed) or the test case should be changed
>> to adopt it.
>
> BSD ether_aton is:
> /*
>  * Convert an ASCII representation of an ethernet address to binary form.
>  */
> struct ether_addr *
> ether_aton_r(const char *a, struct ether_addr *e)
> {
> 	int i;
> 	unsigned int o0, o1, o2, o3, o4, o5;
>
> 	i = sscanf(a, "%x:%x:%x:%x:%x:%x", &o0, &o1, &o2, &o3, &o4, &o5);
> 	if (i != 6)
> 		return (NULL);
> 	e->octet[0]=o0;
> 	e->octet[1]=o1;
> 	e->octet[2]=o2;
> 	e->octet[3]=o3;
> 	e->octet[4]=o4;
> 	e->octet[5]=o5;
> 	return (e);
> }

Your implementation fixes the above by bounds checking each octet
to enforce that in the 6-octet form, each octet is bound to the region
00-ff.

The BSD example only accepts a 6-octet form.  Your version is intended
to accept both colon forms so x:x:x will successfully parse as well
(interpreted on the XXXX:XXXX:XXXX side) (ie: mac 02:03:04 or 2:3:4
would be accepted).  Further, accidentally passing an ipv6 address to
this routine (something a user of a cmdline interface might do) could be
parsed as valid (example: 2001:db8:2::1) - which would be the wrong
thing.  I think it would be strange for length limits to be enforced in
cmdline parser *after* calling this, but that might be an option for
fixing (so patch cmdline_parse_etheraddr to do a length check after the
unformat_addr call).

I guess I'm not sure what the *best* fix would be.  I think the most
sane fix is what I've put in since it will only allow the commonly
accepted notation, and not allow ad-hoc accidents.  Higher layers (like
cmdline parsers) are free to implement routines that reformat the lax
forms (like you might want to allow a user to pass) into more
restrictive forms required by a lower layer (like librte_net).  I
concede that there could be a more friendly thing to do in some specific
cases - but then we must more strictly validate the *form* (ie: we
have a scanf where one form is a subset of another and will be okay with
some kinds of invalid characters being inserted - allowing for things
like IPV6 addresses looking like ethernet hardware addresses).