From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <beilei.xing@intel.com>
Received: from mga03.intel.com (mga03.intel.com [134.134.136.65])
 by dpdk.org (Postfix) with ESMTP id B44CA5A49
 for <dev@dpdk.org>; Wed,  6 Jul 2016 04:00:22 +0200 (CEST)
Received: from fmsmga003.fm.intel.com ([10.253.24.29])
 by orsmga103.jf.intel.com with ESMTP; 05 Jul 2016 19:00:21 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.28,316,1464678000"; d="scan'208";a="730153470"
Received: from fmsmsx105.amr.corp.intel.com ([10.18.124.203])
 by FMSMGA003.fm.intel.com with ESMTP; 05 Jul 2016 19:00:21 -0700
Received: from fmsmsx123.amr.corp.intel.com (10.18.125.38) by
 FMSMSX105.amr.corp.intel.com (10.18.124.203) with Microsoft SMTP Server (TLS)
 id 14.3.248.2; Tue, 5 Jul 2016 19:00:21 -0700
Received: from shsmsx102.ccr.corp.intel.com (10.239.4.154) by
 fmsmsx123.amr.corp.intel.com (10.18.125.38) with Microsoft SMTP Server (TLS)
 id 14.3.248.2; Tue, 5 Jul 2016 19:00:21 -0700
Received: from shsmsx101.ccr.corp.intel.com ([169.254.1.8]) by
 shsmsx102.ccr.corp.intel.com ([169.254.2.147]) with mapi id 14.03.0248.002;
 Wed, 6 Jul 2016 10:00:19 +0800
From: "Xing, Beilei" <beilei.xing@intel.com>
To: "Richardson, Bruce" <bruce.richardson@intel.com>
CC: "Wu, Jingjing" <jingjing.wu@intel.com>, "Jastrzebski, MichalX K"
 <michalx.k.jastrzebski@intel.com>, "dev@dpdk.org" <dev@dpdk.org>
Thread-Topic: [dpdk-dev] [PATCH v2 3/3] i40e: fix out-of-bounds access
Thread-Index: AQHR1oPvvuP1B3BQp0Wg94RrzHr8jaAJTnsAgAFUR8A=
Date: Wed, 6 Jul 2016 02:00:17 +0000
Message-ID: <94479800C636CB44BD422CB454846E013AC228@SHSMSX101.ccr.corp.intel.com>
References: <1467272056-14388-1-git-send-email-beilei.xing@intel.com>
 <1467699005-16235-1-git-send-email-beilei.xing@intel.com>
 <1467699005-16235-4-git-send-email-beilei.xing@intel.com>
 <20160705132618.GC23500@bricha3-MOBL3>
In-Reply-To: <20160705132618.GC23500@bricha3-MOBL3>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.239.127.40]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [dpdk-dev] [PATCH v2 3/3] i40e: fix out-of-bounds access
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: patches and discussions about DPDK <dev.dpdk.org>
List-Unsubscribe: <http://dpdk.org/ml/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <http://dpdk.org/ml/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Jul 2016 02:00:23 -0000



> -----Original Message-----
> From: Richardson, Bruce
> Sent: Tuesday, July 5, 2016 9:26 PM
> To: Xing, Beilei <beilei.xing@intel.com>
> Cc: Wu, Jingjing <jingjing.wu@intel.com>; Jastrzebski, MichalX K
> <michalx.k.jastrzebski@intel.com>; dev@dpdk.org
> Subject: Re: [dpdk-dev] [PATCH v2 3/3] i40e: fix out-of-bounds access
>=20
> On Tue, Jul 05, 2016 at 02:10:05PM +0800, Beilei Xing wrote:
> > When calling i40e_flowtype_to_pctype in
> > i40e_get_hash_filter_global_config and
> > i40e_set_hash_filter_global_config, function i40e_flowtype_to_pctype
> > will be possibly out-of-bounds accessed, because size of callee's
> > array is 15. So judge flow type before calling
> > i40e_flowtype_to_pctype.
> > Meanwhile do the same change in other functions.
> >
> > Coverity issue: 37793, 37794
> >
> > Fixes: 782c8c92f13f ("i40e: add hash configuration")
> > Fixes: f2b2e2354bbd ("i40e: split function for hash and flow director
> > input")
> > Fixes: 98f055707685 ("i40e: configure input fields for RSS or flow
> > director")
> >
> > Signed-off-by: Beilei Xing <beilei.xing@intel.com>
> > ---
> >  drivers/net/i40e/i40e_ethdev.c | 21 ++++++++++++---------
> >  1 file changed, 12 insertions(+), 9 deletions(-)
> >
> > diff --git a/drivers/net/i40e/i40e_ethdev.c
> > b/drivers/net/i40e/i40e_ethdev.c index a1cad37..111a552 100644
> > --- a/drivers/net/i40e/i40e_ethdev.c
> > +++ b/drivers/net/i40e/i40e_ethdev.c
> > @@ -6908,6 +6908,9 @@ i40e_get_hash_filter_global_config(struct
> i40e_hw *hw,
> >  		mask &=3D ~(1UL << i);
> >  		/* Bit set indicats the coresponding flow type is supported */
> >  		g_cfg->valid_bit_mask[0] |=3D (1UL << i);
> > +		/* if flowtype is invalid, continue */
> > +		if (!I40E_VALID_FLOW(i))
> > +			continue;
> >  		pctype =3D i40e_flowtype_to_pctype(i);
> >  		reg =3D i40e_read_rx_ctl(hw, I40E_GLQF_HSYM(pctype));
> >  		if (reg & I40E_GLQF_HSYM_SYMH_ENA_MASK)
>=20
> Rather than having the same check done in multiple places, is there a rea=
son
> why we can't just put the check once in i40e_flowtype_to_pctype?

Since the return value type of i40e_flowtype_to_pctype is " enum i40e_filte=
r_pctype ", although put the check in i40e_flowtype_to_pctype, we should ch=
eck return value after every i40e_flowtype_to_pctype calling. I think there=
's no more improvement.
Besides, check valid flow type is called before i40e_flowtype_to_pctype in =
some places previously, such as function i40e_hash_filter_inset_select and =
i40e_fdir_filter_inset_select.

/Beilei

>=20
> /Bruce