[dpdk-dev] [PATCH] eal: out-of-bounds write

Bruce Richardson bruce.richardson at intel.com
Tue Apr 26 10:53:44 CEST 2016

Previous message: [dpdk-dev] [PATCH] eal: out-of-bounds write
Next message: [dpdk-dev] [PATCH] eal: out-of-bounds write
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Apr 26, 2016 at 09:44:47AM +0200, Slawomir Mrozowicz wrote:
> Fix issue reported by Coverity.
> 
> Coverity ID 13282: Out-of-bounds write
> overrun-local: Overrunning array mcfg->memseg of 256 44-byte elements
> at element index 257 using index j.
> 
> Fixes: af75078fece3 ("first public release")
> 
> Signed-off-by: Slawomir Mrozowicz <slawomirx.mrozowicz at intel.com>
> ---
>  lib/librte_eal/linuxapp/eal/eal_memory.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/lib/librte_eal/linuxapp/eal/eal_memory.c b/lib/librte_eal/linuxapp/eal/eal_memory.c
> index 5b9132c..1e737e4 100644
> --- a/lib/librte_eal/linuxapp/eal/eal_memory.c
> +++ b/lib/librte_eal/linuxapp/eal/eal_memory.c
> @@ -1333,7 +1333,7 @@ rte_eal_hugepage_init(void)
>  
>  		if (new_memseg) {
>  			j += 1;
> -			if (j == RTE_MAX_MEMSEG)
> +			if (j >= RTE_MAX_MEMSEG)
>  				break;
>  
>  			mcfg->memseg[j].phys_addr = hugepage[i].physaddr;
> -- 

This does appear to be a valid fix for the issue. However, looking at the code,
it appears that the only way we could actually hit the problem is if 
j == RTE_MAX_MEMSEG on exiting the previous loop. Would a check there be a better
fix for this issue (or perhaps we want both fixes).

Thoughts?

/Bruce

Previous message: [dpdk-dev] [PATCH] eal: out-of-bounds write
Next message: [dpdk-dev] [PATCH] eal: out-of-bounds write
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the dev mailing list