On Fri, Mar 01, 2024 at 08:58:45AM +0100, Stefano Brivio wrote:On Fri, 1 Mar 2024 10:10:52 +1100 David Gibson <david(a)gibson.dropbear.id.au> wrote:Right. This really seems overzealous of coverity: it seems like any occasion where the compiler would constant fold could result in a similar warning.On Thu, Feb 29, 2024 at 05:24:06PM +0100, Stefano Brivio wrote:Oops, sorry, it's not broken, and this is a false positive due to the fact that __bswap_constant_16() (which htons_constant() resolves to, on little-endian) is defined, for example in glibc, as: #define __bswap_constant_16(x) \ ((((x) >> 8) & 0xff) | (((x) & 0xff) << 8)) and in this case the first term of the | resolves to a constant value, 0xff, because 0xffxx >> 8 is 0xff for any value of xx.On Sat, 17 Feb 2024 16:07:22 +0100 Laurent Vivier <lvivier(a)redhat.com> wrote:Uh... how so?We can find the same function to compute the IPv4 header checksum in tcp.c, udp.c and tap.c Use the function defined for tap.c, csum_ip4_header(), but with the code used in tcp.c and udp.c as it doesn't need a fully initialiazed IPv4 header, only protocol, tot_len, saddr and daddr. Signed-off-by: Laurent Vivier <lvivier(a)redhat.com> --- Notes: v3: - function parameters provide tot_len, saddr, daddr and protocol rather than an iphdr v2: - use csum_ip4_header() from checksum.c - use code from tcp.c and udp.c in csum_ip4_header() - use "const struct iphfr *", check is not updated by the function but by the caller. checksum.c | 17 +++++++++++++---- checksum.h | 3 ++- tap.c | 3 ++- tcp.c | 24 +++--------------------- udp.c | 20 ++------------------ 5 files changed, 22 insertions(+), 45 deletions(-) diff --git a/checksum.c b/checksum.c index 74e3742bc6f6..511b296a9a80 100644 --- a/checksum.c +++ b/checksum.c @@ -57,6 +57,7 @@ #include <linux/icmpv6.h> #include "util.h" +#include "ip.h" #include "checksum.h" /* Checksums are optional for UDP over IPv4, so we usually just set @@ -116,13 +117,21 @@ uint16_t csum_fold(uint32_t sum) uint16_t csum(const void *buf, size_t len, uint32_t init); /** - * csum_ip4_header() - Calculate and set IPv4 header checksum + * csum_ip4_header() - Calculate IPv4 header checksum * @ip4h: IPv4 header */ -void csum_ip4_header(struct iphdr *ip4h) +uint16_t csum_ip4_header(uint16_t tot_len, uint8_t protocol, + uint32_t saddr, uint32_t daddr) { - ip4h->check = 0; - ip4h->check = csum(ip4h, (size_t)ip4h->ihl * 4, 0); + uint32_t sum = L2_BUF_IP4_PSUM(protocol);Now that we use this macro, Coverity Scan realises that it's broken: #define L2_BUF_IP4_PSUM(proto) ((uint32_t)htons_constant(0x4500) + \ (uint32_t)htons_constant(0xff00 | (proto))) ...but proto is eight (lower) bits, so this actually ignores 'proto'.I couldn't think of a "solution", yet.Making it an inline function rather than a macro might be enough to convince Coverity. Otherwise we could just mark it as a false positive in the Coverity web interface. -- David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson