[dpdk-dev] [PATCH] eal: out-of-bounds write
Bruce Richardson
bruce.richardson at intel.com
Tue Apr 26 10:53:44 CEST 2016
On Tue, Apr 26, 2016 at 09:44:47AM +0200, Slawomir Mrozowicz wrote:
> Fix issue reported by Coverity.
>
> Coverity ID 13282: Out-of-bounds write
> overrun-local: Overrunning array mcfg->memseg of 256 44-byte elements
> at element index 257 using index j.
>
> Fixes: af75078fece3 ("first public release")
>
> Signed-off-by: Slawomir Mrozowicz <slawomirx.mrozowicz at intel.com>
> ---
> lib/librte_eal/linuxapp/eal/eal_memory.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/lib/librte_eal/linuxapp/eal/eal_memory.c b/lib/librte_eal/linuxapp/eal/eal_memory.c
> index 5b9132c..1e737e4 100644
> --- a/lib/librte_eal/linuxapp/eal/eal_memory.c
> +++ b/lib/librte_eal/linuxapp/eal/eal_memory.c
> @@ -1333,7 +1333,7 @@ rte_eal_hugepage_init(void)
>
> if (new_memseg) {
> j += 1;
> - if (j == RTE_MAX_MEMSEG)
> + if (j >= RTE_MAX_MEMSEG)
> break;
>
> mcfg->memseg[j].phys_addr = hugepage[i].physaddr;
> --
This does appear to be a valid fix for the issue. However, looking at the code,
it appears that the only way we could actually hit the problem is if
j == RTE_MAX_MEMSEG on exiting the previous loop. Would a check there be a better
fix for this issue (or perhaps we want both fixes).
Thoughts?
/Bruce
More information about the dev
mailing list