[dpdk-dev] Unsafe array accesses in rte_sched.c

Dumitrescu, Cristian cristian.dumitrescu at intel.com
Fri Oct 16 15:39:39 CEST 2015



> -----Original Message-----
> From: Simon Kågström [mailto:simon.kagstrom at netinsight.net]
> Sent: Friday, October 16, 2015 9:49 AM
> To: Dumitrescu, Cristian <cristian.dumitrescu at intel.com>; dev at dpdk.org
> Subject: Unsafe array accesses in rte_sched.c
> 
> Hi!
> 
> I'm investigating DPDK support for pacing output streams and trying to
> understand the QoS framework. However, I quickly found some instances of
> unsafe array accesses. E.g., the rte_sched_port_config_qsize function
> looks like this:
> 
>   static void
>   rte_sched_port_config_qsize(struct rte_sched_port *port)
>   {
>         /* TC 0 */
>         port->qsize_add[0] = 0;
>         port->qsize_add[1] = port->qsize_add[0] + port->qsize[0];
>         port->qsize_add[2] = port->qsize_add[1] + port->qsize[0];
>         port->qsize_add[3] = port->qsize_add[2] + port->qsize[0];
> 
>   [...]
> 
>         /* TC 3 */
>         port->qsize_add[12] = port->qsize_add[11] + port->qsize[2];
>         port->qsize_add[13] = port->qsize_add[12] + port->qsize[3];
>         port->qsize_add[14] = port->qsize_add[13] + port->qsize[3];
>         port->qsize_add[15] = port->qsize_add[14] + port->qsize[3];
> 
>         port->qsize_sum = port->qsize_add[15] + port->qsize[3];
>   }
> 
> but port->qsize is actually defined as
> 
>   uint16_t qsize[RTE_SCHED_TRAFFIC_CLASSES_PER_PIPE];
> 

Not sure what you see "unsafe" here: qsize is an array of 4 elements, while qsize_add is a different array of 16 elements? Please explain.

> There are similar problems in rte_sched_port_log_pipe_profile() and
> probably other places.
> 
> 
> I don't understand the code well enough to send patches for these,
> although the fixes should be fairly trivial. Perhaps this is already
> known as it should be fairly easy to trigger with static checkers?
> 
> // Simon



More information about the dev mailing list