From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id A7CB3A00C2;
	Tue,  8 Mar 2022 12:21:00 +0100 (CET)
Received: from [217.70.189.124] (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id 700B24068E;
	Tue,  8 Mar 2022 12:21:00 +0100 (CET)
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com
 [66.111.4.28]) by mails.dpdk.org (Postfix) with ESMTP id EEFBB4068B
 for <dev@dpdk.org>; Tue,  8 Mar 2022 12:20:58 +0100 (CET)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43])
 by mailout.nyi.internal (Postfix) with ESMTP id 611CA5C0090;
 Tue,  8 Mar 2022 06:20:57 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163])
 by compute3.internal (MEProxy); Tue, 08 Mar 2022 06:20:57 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=monjalon.net; h=
 cc:cc:content-transfer-encoding:content-type:date:date:from:from
 :in-reply-to:in-reply-to:message-id:mime-version:references
 :reply-to:sender:subject:subject:to:to; s=fm1; bh=F/I7LTgJRazWaj
 LlcwpbjxInp/BZwyo9cd3MPIe6Ezo=; b=gneGEJimb0t/AOdKgrV65cFhTT1sMK
 bF+5c3ujbxMX4ZOPkvy1ZMMK7Dp7ylfdomwlvJmbWv5ZP8lFfNoXZh0UnqLP6IBG
 3lCQrAnAur1/ghc7Hz6//fMqcFZwowYu03yhFPk7yW/F9pMie4HbxxP9MrUjcTI1
 L9QuM7dneKlwI3LSrgk/ZA1NE3ezalEuBkc0cQW/dhjtY7tVYEXcUCte/afJeRBa
 Yho54v+JQIfalBRsaB8O7phYBlduQ7HOVX3I9XK9sKfQPXeSndCqRH7xR/J8v6Ww
 sa/Zfl0yYvXRv9zPrJOHiah4Mzlyc1PrAppXr6haVnDpC/RqXdFR4dTw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:cc:content-transfer-encoding
 :content-type:date:date:from:from:in-reply-to:in-reply-to
 :message-id:mime-version:references:reply-to:sender:subject
 :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
 :x-sasl-enc; s=fm2; bh=F/I7LTgJRazWajLlcwpbjxInp/BZwyo9cd3MPIe6E
 zo=; b=J43kI9yr209Wxky8bTMNFtRj8ay7uAEXQYby1DXja9nJsRmUDEstAd2v3
 NLJomMSFO+m64aE33PE00V/USoOr+xZI+LkfdrnyAbk3pWYY4gyqgOZ2pKjN7+2V
 6/09HtBEVUcZGbkeDg5711dXfccRPslX19kaO6x83YbjaT+N7/fPtqXRy0iMqxPU
 UiEmHxb7SS80kmG1BzhAMC7IR17Lr44xTFMYPhzD7E8F7JcfYHAEIznEpv3AAxgG
 k+kSJmdR4np7Z6UtPiwW9V0rg80t5+sXJV7aose9djuMf9F5e6/ggcZkPRiuv6Sl
 6Uiics4lBjUYEraxZlCTiy1tW1RGQ==
X-ME-Sender: <xms:GDwnYpvj6MmdTHWnhkegKTUeL9aASCYtxFdEasl4N9J1EopyKS5puQ>
 <xme:GDwnYidHgLmX87BhROHIOeK-AkUxMgXbpDZXUo-YJ0Vz8L9Dgxq7fG1wLdtzMdAJf
 _8QoY7_mAy3OnHupA>
X-ME-Received: <xmr:GDwnYsyt35xEKFlWFt5JDhbqmC4CwU9zRLOsNX_lbuYxC_e2eYitTlX0OPjgdrDWF1cILxxnymFFsYIEmC3MfFPIrQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvvddrudduiedgvdejucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
 cujfgurhephffvufffkfgjfhgggfgtsehtufertddttddvnecuhfhrohhmpefvhhhomhgr
 shcuofhonhhjrghlohhnuceothhhohhmrghssehmohhnjhgrlhhonhdrnhgvtheqnecugg
 ftrfgrthhtvghrnhepudeggfdvfeduffdtfeeglefghfeukefgfffhueejtdetuedtjeeu
 ieeivdffgeehnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrh
 homhepthhhohhmrghssehmohhnjhgrlhhonhdrnhgvth
X-ME-Proxy: <xmx:GDwnYgO0VSZi84XzCH8xFVhS10oTr3hOqt8DXn4qzS9o_htgGnM28g>
 <xmx:GDwnYp8bQBsv9ZUiWK7WJeASzQUSBpaQYNnf6rw9KyaPZkSvcy_7Cg>
 <xmx:GDwnYgU5lwz97f2mOHB0K9orYzvdco4PT6MEbhzj6f0qgxv-eaE72g>
 <xmx:GTwnYrJdMdC6K0_X-x98Q9XSkXm4PkIWa-EM4LO4liIYjvdWDa6veQ>
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue,
 8 Mar 2022 06:20:56 -0500 (EST)
From: Thomas Monjalon <thomas@monjalon.net>
To: Rahul Bhansali <rbhansali@marvell.com>
Cc: dev@dpdk.org, david.marchand@redhat.com,
 Conor Walsh <conor.walsh@intel.com>
Subject: Re: [PATCH] examples/l3fwd: resolve stack buffer overflow issue
Date: Tue, 08 Mar 2022 12:20:54 +0100
Message-ID: <4698000.9Mp67QZiUf@thomas>
In-Reply-To: <20220111125005.554635-1-rbhansali@marvell.com>
References: <20220111125005.554635-1-rbhansali@marvell.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org

11/01/2022 13:50, Rahul Bhansali:
> This patch fixes the stack buffer overflow error reported
> from AddressSanitizer.
> Function send_packetsx4() tries to access out of bound data
> from rte_mbuf and fill it into TX buffer even in the case
> where no pending packets (len = 0).
> Performance impact:- No
> 
> ASAN error report:-
> ==819==ERROR: AddressSanitizer: stack-buffer-overflow on address
> 0xffffe2c0dcf0 at pc 0x0000005e791c bp 0xffffe2c0d7e0 sp 0xffffe2c0d800
> READ of size 8 at 0xffffe2c0dcf0 thread T0
>  #0 0x5e7918 in send_packetsx4 ../examples/l3fwd/l3fwd_common.h:251
>  #1 0x5e7918 in send_packets_multi ../examples/l3fwd/l3fwd_neon.h:226

This code comes from below commit, so these tags are missing:
Fixes: 96ff445371e0 ("examples/l3fwd: reorganise and optimize LPM code path")
Cc: stable@dpdk.org

> Signed-off-by: Rahul Bhansali <rbhansali@marvell.com>
> ---
>  examples/l3fwd/l3fwd_common.h | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/examples/l3fwd/l3fwd_common.h b/examples/l3fwd/l3fwd_common.h
> index 7d83ff641a..de77711f88 100644
> --- a/examples/l3fwd/l3fwd_common.h
> +++ b/examples/l3fwd/l3fwd_common.h
> @@ -236,6 +236,9 @@ send_packetsx4(struct lcore_conf *qconf, uint16_t port, struct rte_mbuf *m[],
>  
>  		/* copy rest of the packets into the TX buffer. */
>  		len = num - n;
> +		if (len == 0)
> +			goto exit;
> +

I don't understand how it can fix something.
There is already  "while (j < len)" with j and len being 0,
the loop should not be effective in this case.

>  		j = 0;
>  		switch (len % FWDSTEP) {
>  		while (j < len) {
> @@ -258,6 +261,7 @@ send_packetsx4(struct lcore_conf *qconf, uint16_t port, struct rte_mbuf *m[],
>  		}
>  	}
>  
> +exit:
>  	qconf->tx_mbufs[port].len = len;
>  }