[dpdk-dev] [PATCH v3] eal: out-of-bounds write

Slawomir Mrozowicz slawomirx.mrozowicz at intel.com
Tue Jun 14 11:02:36 CEST 2016


Overrunning array mcfg->memseg of 256 44-byte elements
at element index 257 using index j.
Fixed by add condition with message information.

Fixes: af75078fece3 ("first public release")
Coverity ID 13282

Signed-off-by: Slawomir Mrozowicz <slawomirx.mrozowicz at intel.com>
---
 lib/librte_eal/linuxapp/eal/eal_memory.c | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/lib/librte_eal/linuxapp/eal/eal_memory.c b/lib/librte_eal/linuxapp/eal/eal_memory.c
index 5b9132c..6a2daf5 100644
--- a/lib/librte_eal/linuxapp/eal/eal_memory.c
+++ b/lib/librte_eal/linuxapp/eal/eal_memory.c
@@ -1301,6 +1301,15 @@ rte_eal_hugepage_init(void)
 			break;
 		}
 
+	if (j >= RTE_MAX_MEMSEG) {
+		RTE_LOG(ERR, EAL,
+			"Failed: all memsegs used by ivshmem.\n"
+			"Current %d is not enough.\n"
+			"Please either increase the RTE_MAX_MEMSEG\n",
+			RTE_MAX_MEMSEG);
+		return -ENOMEM;
+	}
+
 	for (i = 0; i < nr_hugefiles; i++) {
 		new_memseg = 0;
 
@@ -1333,8 +1342,14 @@ rte_eal_hugepage_init(void)
 
 		if (new_memseg) {
 			j += 1;
-			if (j == RTE_MAX_MEMSEG)
-				break;
+			if (j >= RTE_MAX_MEMSEG) {
+				RTE_LOG(ERR, EAL,
+					"Failed: all memsegs used by ivshmem.\n"
+					"Current %d is not enough.\n"
+					"Please either increase the RTE_MAX_MEMSEG\n",
+					RTE_MAX_MEMSEG);
+				return -ENOMEM;
+			}
 
 			mcfg->memseg[j].phys_addr = hugepage[i].physaddr;
 			mcfg->memseg[j].addr = hugepage[i].final_va;
-- 
1.9.1



More information about the dev mailing list