[dpdk-dev] [dpdk-stable] [PATCH] librte_flow_classify: fix out-of-bounds access

[Ferruh Yigit]

On 7/29/2019 2:09 PM, David Marchand wrote:
> On Wed, Jul 10, 2019 at 11:49 PM Thomas Monjalon <thomas at monjalon.net> wrote:
>>
>> 09/07/2019 13:09, Bernard Iremonger:
>>> This patch fixes the out-of-bounds coverity issue by removing the
>>> offending line of code at line 107 in rte_flow_classify_parse.c
>>> which is never executed.
>>>
>>> Coverity issue: 343454
>>>
>>> Fixes: be41ac2a330f ("flow_classify: introduce flow classify library")
>>> Cc: stable at dpdk.org
>>> Signed-off-by: Bernard Iremonger <bernard.iremonger at intel.com>
>>
>> Applied, thanks
> 
> We have a segfault in the unit tests since this patch.
> 

Yes, Flavia able to reproduce the crash.

That testcase is testing a pattern without invalid END item, the pattern is same
as the rte_flow pattern.

Expectation is 'rte_flow_classify_validate()' function detect this wrong pattern
and return error, but this can't happen.
Function gets pointer to the patter array without any size/length information,
function walks through the list until it detects the END item, if this item is
missing there is no way to limit the walk through within the boundaries of the
array. As far as I can see this is same in the rte_flow implementation.

An invalid patter with missing END item is not valid testcase with current
implementation, I guess it wasn't crashing before by luck, unless I am missing
something here.

I suggest removing the mentioned testcase, also remove similar testcase for
action, invalid action without END action. If the API supports this later we can
add back the testcases.

Thanks,
ferruh