From f4821f92614bafaaee01721b3a5ffc29fe2f5365 Mon Sep 17 00:00:00 2001
From: Tobias Klauser <tklauser@distanz.ch>
Date: Wed, 30 Apr 2014 13:32:08 +0200
Subject: ring: Consistently use size_t to specify ring size
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The mm_len member of struct ring is of type size_t, but in the code
paths leading to set it, unsigned int is used. In circumstances where
unsigned int is 32 bit and size_t is 64 bit, this could lead to an
integer overflow, which causes an improper ring size being mmap()'ed in
mmap_ring_generic().

In order to prevent this, consistently use size_t to store the ring
size, since this is also what mmap() takes as its `length' parameter.

This now allows to specify ring sizes larger than 4 GiB for both
netsniff-ng and trafgen (fixes #90).

Reported-by: Jon Schipp <jonschipp@gmail.com>
Reported-by: Michał Purzyński <michalpurzynski1@gmail.com>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
---
 netsniff-ng.c | 12 ++++++++----
 ring.h        |  2 +-
 ring_rx.c     |  4 ++--
 ring_rx.h     |  4 ++--
 ring_tx.c     |  4 ++--
 ring_tx.h     |  4 ++--
 trafgen.c     |  6 ++++--
 7 files changed, 21 insertions(+), 15 deletions(-)

diff --git a/netsniff-ng.c b/netsniff-ng.c
index ab3d53f..a994299 100644
--- a/netsniff-ng.c
+++ b/netsniff-ng.c
@@ -55,7 +55,8 @@ enum dump_mode {
 struct ctx {
 	char *device_in, *device_out, *device_trans, *filter, *prefix;
 	int cpu, rfraw, dump, print_mode, dump_dir, packet_type, verbose;
-	unsigned long kpull, dump_interval, reserve_size, tx_bytes, tx_packets;
+	unsigned long kpull, dump_interval, tx_bytes, tx_packets;
+	size_t reserve_size;
 	bool randomize, promiscuous, enforce, jumbo, dump_bpf;
 	enum pcap_ops_groups pcap; enum dump_mode dump_mode;
 	uid_t uid; gid_t gid; uint32_t link_type, magic;
@@ -170,7 +171,8 @@ static void pcap_to_xmit(struct ctx *ctx)
 {
 	uint8_t *out = NULL;
 	int irq, ifindex, fd = 0, ret;
-	unsigned int size, it = 0;
+	size_t size;
+	unsigned int it = 0;
 	unsigned long trunced = 0;
 	struct ring tx_ring;
 	struct frame_map *hdr;
@@ -344,7 +346,8 @@ static void receive_to_xmit(struct ctx *ctx)
 	short ifflags = 0;
 	uint8_t *in, *out;
 	int rx_sock, ifindex_in, ifindex_out, ret;
-	unsigned int size_in, size_out, it_in = 0, it_out = 0;
+	size_t size_in, size_out;
+	unsigned int it_in = 0, it_out = 0;
 	unsigned long frame_count = 0;
 	struct frame_map *hdr_in, *hdr_out;
 	struct ring tx_ring, rx_ring;
@@ -879,7 +882,8 @@ static void recv_only_or_dump(struct ctx *ctx)
 {
 	short ifflags = 0;
 	int sock, irq, ifindex, fd = 0, ret;
-	unsigned int size, it = 0;
+	size_t size;
+	unsigned int it = 0;
 	struct ring rx_ring;
 	struct pollfd rx_poll;
 	struct sock_fprog bpf_ops;
diff --git a/ring.h b/ring.h
index d3ccc04..acf5d59 100644
--- a/ring.h
+++ b/ring.h
@@ -67,7 +67,7 @@ static inline void next_rnd_slot(unsigned int *it, struct ring *ring)
 	*it = rand() % ring->layout.tp_frame_nr;
 }
 
-static inline unsigned int ring_size(char *ifname, unsigned int size)
+static inline size_t ring_size(char *ifname, size_t size)
 {
 	if (size > 0)
 		return size;
diff --git a/ring_rx.c b/ring_rx.c
index 59cafd3..c42c353 100644
--- a/ring_rx.c
+++ b/ring_rx.c
@@ -40,7 +40,7 @@ void destroy_rx_ring(int sock, struct ring *ring)
 		panic("Cannot destroy the RX_RING: %s!\n", strerror(errno));
 }
 
-void setup_rx_ring_layout(int sock, struct ring *ring, unsigned int size,
+void setup_rx_ring_layout(int sock, struct ring *ring, size_t size,
 			  bool jumbo_support, bool v3)
 {
 	fmemset(&ring->layout, 0, sizeof(ring->layout));
@@ -95,7 +95,7 @@ retry:
 	if (ret < 0)
 		panic("Cannot allocate RX_RING!\n");
 
-	ring->mm_len = ring->layout.tp_block_size * ring->layout.tp_block_nr;
+	ring->mm_len = (size_t) ring->layout.tp_block_size * ring->layout.tp_block_nr;
 
 	if (verbose) {
 		if (!v3) {
diff --git a/ring_rx.h b/ring_rx.h
index 5057a30..1a60453 100644
--- a/ring_rx.h
+++ b/ring_rx.h
@@ -16,8 +16,8 @@ extern void create_rx_ring(int sock, struct ring *ring, int verbose);
 extern void mmap_rx_ring(int sock, struct ring *ring);
 extern void alloc_rx_ring_frames(int sock, struct ring *ring);
 extern void bind_rx_ring(int sock, struct ring *ring, int ifindex);
-extern void setup_rx_ring_layout(int sock, struct ring *ring,
-				 unsigned int size, bool jumbo_support, bool v3);
+extern void setup_rx_ring_layout(int sock, struct ring *ring, size_t size,
+				 bool jumbo_support, bool v3);
 extern void sock_rx_net_stats(int sock, unsigned long seen);
 
 static inline int user_may_pull_from_rx(struct tpacket2_hdr *hdr)
diff --git a/ring_tx.c b/ring_tx.c
index 17d5f26..ee47f3f 100644
--- a/ring_tx.c
+++ b/ring_tx.c
@@ -45,7 +45,7 @@ void destroy_tx_ring(int sock, struct ring *ring)
 	xfree(ring->frames);
 }
 
-void setup_tx_ring_layout(int sock, struct ring *ring, unsigned int size,
+void setup_tx_ring_layout(int sock, struct ring *ring, size_t size,
 			  bool jumbo_support)
 {
 	fmemset(&ring->layout, 0, sizeof(ring->layout));
@@ -86,7 +86,7 @@ retry:
 	if (ret < 0)
 		panic("Cannot allocate TX_RING!\n");
 
-	ring->mm_len = ring->layout.tp_block_size * ring->layout.tp_block_nr;
+	ring->mm_len = (size_t) ring->layout.tp_block_size * ring->layout.tp_block_nr;
 
 	if (verbose) {
 		printf("TX,V2: %.2Lf MiB, %u Frames, each %u Byte allocated\n",
diff --git a/ring_tx.h b/ring_tx.h
index ea99fc6..70dd401 100644
--- a/ring_tx.h
+++ b/ring_tx.h
@@ -19,8 +19,8 @@ extern void create_tx_ring(int sock, struct ring *ring, int verbose);
 extern void mmap_tx_ring(int sock, struct ring *ring);
 extern void alloc_tx_ring_frames(int sock, struct ring *ring);
 extern void bind_tx_ring(int sock, struct ring *ring, int ifindex);
-extern void setup_tx_ring_layout(int sock, struct ring *ring,
-				 unsigned int size, bool jumbo_support);
+extern void setup_tx_ring_layout(int sock, struct ring *ring, size_t size,
+				 bool jumbo_support);
 extern void set_packet_loss_discard(int sock);
 
 static inline int user_may_pull_from_tx(struct tpacket2_hdr *hdr)
diff --git a/trafgen.c b/trafgen.c
index 489ff53..43148b7 100644
--- a/trafgen.c
+++ b/trafgen.c
@@ -56,7 +56,8 @@
 
 struct ctx {
 	bool rand, rfraw, jumbo_support, verbose, smoke_test, enforce, qdisc_path;
-	unsigned long num, reserve_size;
+	size_t reserve_size;
+	unsigned long num;
 	unsigned int cpus;
 	uid_t uid; gid_t gid;
 	char *device, *device_trans, *rhost;
@@ -590,7 +591,8 @@ static void xmit_fastpath_or_die(struct ctx *ctx, int cpu, unsigned long orig_nu
 	int ifindex = device_ifindex(ctx->device);
 	uint8_t *out = NULL;
 	unsigned int it = 0;
-	unsigned long num = 1, i = 0, size;
+	unsigned long num = 1, i = 0;
+	size_t size;
 	struct ring tx_ring;
 	struct frame_map *hdr;
 	struct timeval start, end, diff;
-- 
cgit v1.2.3-54-g00ecf