d/numam-dpdk
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

security: fix verification of parameters

Browse Source 
This patch adds verification of the parameters to the ret_security API
functions. All required parameters are checked if they are not NULL.

Checks verify full chain of pointers, e.g. in case of verification of
"instance->ops->session_XXX", they check also "instance"
and "instance->ops".

Fixes: c261d1431b ("security: introduce security API and framework")
Fixes: 1a08c379b9 ("security: support user data retrieval")
Cc: stable@dpdk.org

Signed-off-by: Lukasz Wojciechowski <l.wojciechow@partner.samsung.com>
Acked-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
This commit is contained in:
Lukasz Wojciechowski 2020-04-09 19:24:50 +02:00 committed by Akhil Goyal
parent 1fa538faeb
commit b6ee985478
1 changed files with 46 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
lib/librte_security/rte_security.c
View File

@ -1,6 +1,7 @@
/* SPDX-License-Identifier: BSD-3-Clause
* Copyright 2017 NXP.
* Copyright(c) 2017 Intel Corporation.
* Copyright (c) 2020 Samsung Electronics Co., Ltd All Rights Reserved
*/
#include <rte_malloc.h>
@ -9,6 +10,19 @@
#include "rte_security.h"
#include "rte_security_driver.h"
/* Macro to check for invalid pointers */
#define RTE_PTR_OR_ERR_RET(ptr, retval) do { \
if ((ptr) == NULL) \
return retval; \
} while (0)
/* Macro to check for invalid pointers chains */
#define RTE_PTR_CHAIN3_OR_ERR_RET(p1, p2, p3, retval, last_retval) do { \
RTE_PTR_OR_ERR_RET(p1, retval); \
RTE_PTR_OR_ERR_RET(p1->p2, retval); \
RTE_PTR_OR_ERR_RET(p1->p2->p3, last_retval); \
} while (0)
struct rte_security_session *
rte_security_session_create(struct rte_security_ctx *instance,
struct rte_security_session_conf *conf,
@ -16,10 +30,9 @@ rte_security_session_create(struct rte_security_ctx *instance,
{
struct rte_security_session *sess = NULL;
if (conf == NULL)
return NULL;
RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->session_create, NULL);
RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, session_create, NULL, NULL);
RTE_PTR_OR_ERR_RET(conf, NULL);
RTE_PTR_OR_ERR_RET(mp, NULL);
if (rte_mempool_get(mp, (void **)&sess))
return NULL;
@ -38,14 +51,19 @@ rte_security_session_update(struct rte_security_ctx *instance,
struct rte_security_session *sess,
struct rte_security_session_conf *conf)
{
RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->session_update, -ENOTSUP);
RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, session_update, -EINVAL,
-ENOTSUP);
RTE_PTR_OR_ERR_RET(sess, -EINVAL);
RTE_PTR_OR_ERR_RET(conf, -EINVAL);
return instance->ops->session_update(instance->device, sess, conf);
}
unsigned int
rte_security_session_get_size(struct rte_security_ctx *instance)
{
RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->session_get_size, 0);
RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, session_get_size, 0, 0);
return instance->ops->session_get_size(instance->device);
}
@ -54,7 +72,11 @@ rte_security_session_stats_get(struct rte_security_ctx *instance,
struct rte_security_session *sess,
struct rte_security_stats *stats)
{
RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->session_stats_get, -ENOTSUP);
RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, session_stats_get, -EINVAL,
-ENOTSUP);
/* Parameter sess can be NULL in case of getting global statistics. */
RTE_PTR_OR_ERR_RET(stats, -EINVAL);
return instance->ops->session_stats_get(instance->device, sess, stats);
}
@ -64,7 +86,9 @@ rte_security_session_destroy(struct rte_security_ctx *instance,
{
int ret;
RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->session_destroy, -ENOTSUP);
RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, session_destroy, -EINVAL,
-ENOTSUP);
RTE_PTR_OR_ERR_RET(sess, -EINVAL);
if (instance->sess_cnt)
instance->sess_cnt--;
@ -81,7 +105,11 @@ rte_security_set_pkt_metadata(struct rte_security_ctx *instance,
struct rte_security_session *sess,
struct rte_mbuf *m, void *params)
{
RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->set_pkt_metadata, -ENOTSUP);
#ifdef RTE_DEBUG
RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, set_pkt_metadata, -EINVAL,
-ENOTSUP);
RTE_PTR_OR_ERR_RET(sess, -EINVAL);
#endif
return instance->ops->set_pkt_metadata(instance->device,
sess, m, params);
}
@ -91,7 +119,9 @@ rte_security_get_userdata(struct rte_security_ctx *instance, uint64_t md)
{
void *userdata = NULL;
RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->get_userdata, NULL);
#ifdef RTE_DEBUG
RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, get_userdata, NULL, NULL);
#endif
if (instance->ops->get_userdata(instance->device, md, &userdata))
return NULL;
@ -101,7 +131,8 @@ rte_security_get_userdata(struct rte_security_ctx *instance, uint64_t md)
const struct rte_security_capability *
rte_security_capabilities_get(struct rte_security_ctx *instance)
{
RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->capabilities_get, NULL);
RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, capabilities_get, NULL, NULL);
return instance->ops->capabilities_get(instance->device);
}
@ -113,7 +144,9 @@ rte_security_capability_get(struct rte_security_ctx *instance,
const struct rte_security_capability *capability;
uint16_t i = 0;
RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->capabilities_get, NULL);
RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, capabilities_get, NULL, NULL);
RTE_PTR_OR_ERR_RET(idx, NULL);
capabilities = instance->ops->capabilities_get(instance->device);
if (capabilities == NULL)
@ -121,7 +154,7 @@ rte_security_capability_get(struct rte_security_ctx *instance,
while ((capability = &capabilities[i++])->action
!= RTE_SECURITY_ACTION_TYPE_NONE) {
if (capability->action == idx->action &&
if (capability->action == idx->action &&
capability->protocol == idx->protocol) {
if (idx->protocol == RTE_SECURITY_PROTOCOL_IPSEC) {
if (capability->ipsec.proto ==