Fixes 2026 03

[danielinux]

fb0e097 dpipe: Fixed open flags for alternate_stdout
2770df4 vde_vxlan: fix accidental fallthrough
00ca86c vde_router: Fix operator precedence in RED drop
93655b9 Fix potential early-interrupted check in hash chain search
a8a4e24 Fixed the poll count in src/vde_plug2tap.c
eade478 vde_switch: fix null pointer check in qtimer_add
2f31c8a Fix sign arithmetic in wirefilter markov delay calculation
e800207 Fixes for memory handling in vde_router
9bcd06f Fix accidental fall-through in wirefilter arg parsing
4f2f223 Fixed the memset size calculation in add_type
645b9ea vde_router: fix use-after-free when deleting iface
f0d6dfe fix dhcp_get_next_option returned len ptr dereference
04898ca vde_router arp tree: fix order of rb tree
4bb4d7a Fix use-after-free in vde_autolink

[Copilot]

Pull request overview

This PR is a grab-bag of correctness and safety fixes across the VDE toolchain (router/switch/vxlan/wirefilter/utilities), primarily addressing fallthroughs, operator-precedence mistakes, and memory/length handling.

Changes:

• Fix several switch/case fallthroughs and precedence/size-calculation bugs.
• Improve memory-safety around list deletion/copying and null checks (router, autolink, switch timer).
• Adjust I/O/polling and packet/UDP length handling in a few components.

Reviewed changes

Copilot reviewed 15 out of 15 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
src/wirefilter.c	Fix markov timing arithmetic types and add missing break in option parsing.
src/vde_vxlan/vxlan.c	Add missing break to prevent accidental fallthrough in address handling.
src/vde_switch/vde_switch.c	Fix memset size expression precedence when growing fdtypes.
src/vde_switch/qtimer.c	Fix incorrect null-pointer check after malloc.
src/vde_switch/plugins/iplog.c	Fix hash-chain search condition to correctly match len/vlan/IP bytes.
src/vde_router/vder_udp.c	Correct UDP size calculations and return semantics for unicast send.
src/vde_router/vder_queue.c	Fix RED probability operator precedence.
src/vde_router/vder_packet.c	Free packet when vder_ip_input() indicates it is locally processed.
src/vde_router/vder_icmp.c	Avoid mutating the original buffer when replying to ICMP echo; operate on a copy.
src/vde_router/vder_dhcp.c	Fix len pointer dereference handling for END/PAD DHCP options.
src/vde_router/vder_datalink.c	Fix potential use-after-free in iface address deletion loop.
src/vde_router/vder_arp.c	Fix RB-tree traversal order by iterating with rb_first/rb_next.
src/vde_plug2tap.c	Use npollv for poll count instead of hardcoded 3.
src/vde_autolink.c	Fix potential use-after-free while removing jobs from a linked list.
src/dpipe.c	Fix open flags for alternate_stdout (O_WRONLY instead of O_RDONLY).

Comments suppressed due to low confidence (1)

src/vde_router/vder_udp.c:110

• bufsize is an int but it’s computed using udp_len (size_t) plus several sizeof(...) terms. For large payload_len, this can overflow int, leading to an undersized allocation and potential memory corruption. Please compute the allocation size in size_t (and/or add explicit overflow checks) before malloc and b->len assignment.

	bufsize = sizeof(struct vde_buff) + sizeof(struct vde_ethernet_header) + sizeof(struct iphdr) + udp_len;
	b = malloc(bufsize);
	if (!b)
		return -1;
	b->len = bufsize - sizeof(struct vde_buff);

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[rd235]

approved