[dpdk-dev] [PATCH v2] bonding: fix overflow check

[Ferruh Yigit]

On 4/30/2021 3:54 AM, Min Hu (Connor) wrote:
> 
> 
> 在 2021/4/29 21:33, Ferruh Yigit 写道:
>> On 4/27/2021 2:40 AM, Min Hu (Connor) wrote:
>>> Buffer 'test_params->slave_port_ids' of size 6 accessed may
>>> overflow, since its index 'i' can have value be is out of range.
>>>
>>> This patch fixed it.
>>>
>>> Fixes: 92073ef961ee ("bond: unit tests")
>>> Cc: stable at dpdk.org
>>>
>>> Signed-off-by: Min Hu (Connor) <humin29 at huawei.com>
>>> ---
>>> v2:
>>> * fix bonded_slave_count value.
>>> ---
>>>   app/test/test_link_bonding.c | 3 +++
>>>   1 file changed, 3 insertions(+)
>>>
>>> diff --git a/app/test/test_link_bonding.c b/app/test/test_link_bonding.c
>>> index 8a5c831..f8abb22 100644
>>> --- a/app/test/test_link_bonding.c
>>> +++ b/app/test/test_link_bonding.c
>>> @@ -2216,6 +2216,9 @@ test_activebackup_rx_burst(void)
>>>               "failed to get primary slave for bonded port (%d)",
>>>               test_params->bonded_port_id);
>>>   +    if (test_params->bonded_slave_count > TEST_MAX_NUMBER_OF_PORTS)
>>> +        test_params->bonded_slave_count = TEST_MAX_NUMBER_OF_PORTS;
>>> +
>>
>> Hi Connor,
>>
>> Similar comment as previous version, what is the root cause, how
>> 'bonded_slave_count' end up being bigger than 'TEST_MAX_NUMBER_OF_PORTS'?
>>
> Hi Ferruh,
> Currently, it will not happen.
> But if the testcase extended, for instance,
> "test_add_slave_to_bonded_device" is called over
> TEST_MAX_NUMBER_OF_PORTS(6) times in
> "test_add_already_bonded_slave_to_bonded_device",
> then 'bonded_slave_count' will be bigger than
> 'TEST_MAX_NUMBER_OF_PORTS'.
> 

What do you think adding 'test_params->bonded_slave_count' check at the
beginning of the 'test_add_slave_to_bonded_device()' and fail test case if it is
bigger than 'TEST_MAX_NUMBER_OF_PORTS'?

>>>       for (i = 0; i < test_params->bonded_slave_count; i++) {
>>>           /* Generate test bursts of packets to transmit */
>>>           TEST_ASSERT_EQUAL(generate_test_burst(
>>>
>>
>> .
>>