[dpdk-dev] [Bug 248] Bonding PMD: Invalid array dimension in TX burst for 802.3ad mode with fast queue leads to SEGFAULT

[bugzilla at dpdk.org]

https://bugs.dpdk.org/show_bug.cgi?id=248

            Bug ID: 248
           Summary: Bonding PMD: Invalid array dimension in TX burst for
                    802.3ad mode with fast queue leads to SEGFAULT
           Product: DPDK
           Version: 18.11
          Hardware: All
                OS: All
            Status: CONFIRMED
          Severity: major
          Priority: Normal
         Component: ethdev
          Assignee: dev at dpdk.org
          Reporter: p.oltarzewski at gmail.com
  Target Milestone: ---

DPDK 18.11.1

In drivers/net/bonding/rte_eth_bond_pmd.c::bond_ethdev_tx_burst_8023ad,
bufs_slave_port_idxs array is defined as follows (lines 1293-1294):

    /* Mapping array generated by hash function to map mbufs to slaves */
    uint16_t bufs_slave_port_idxs[RTE_MAX_ETHPORTS] = { 0 };

Array dimension should be equal to number of packets being transmitted
(nb_pkts) - as correctly implemented in
rte_eth_bond_pmd.c::bond_ethdev_tx_burst_balance.

Invalid array dimension causes overflow when number of transmitted packets is
greater than RTE_MAX_ETHPORTS. Some areas of memory end up overwritten (in my
particular case, slave_nb_bufs array), which leads to SIGSEGV and crash.

To work around the issue, ensure that number of packets transmitted in a single
burst is no greater than RTE_MAX_ETHPORTS.

To fix it, it should be sufficient to define bufs_slave_port_idxs as a
variable-length array, as in bond_ethdev_tx_burst_balance:

    /* Mapping array generated by hash function to map mbufs to slaves */
    uint16_t bufs_slave_port_idxs[nb_bufs];

-- 
You are receiving this mail because:
You are the assignee for the bug.