From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 0EBE545D0A; Fri, 15 Nov 2024 05:10:54 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id E0B0842EF2; Fri, 15 Nov 2024 05:10:53 +0100 (CET) Received: from inbox.dpdk.org (inbox.dpdk.org [95.142.172.178]) by mails.dpdk.org (Postfix) with ESMTP id E665242E52 for ; Fri, 15 Nov 2024 05:10:51 +0100 (CET) Received: by inbox.dpdk.org (Postfix, from userid 33) id CCF0945D0B; Fri, 15 Nov 2024 05:10:51 +0100 (CET) From: bugzilla@dpdk.org To: dev@dpdk.org Subject: [DPDK/ethdev Bug 1580] Nthw: array overrun Date: Fri, 15 Nov 2024 04:10:51 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: DPDK X-Bugzilla-Component: ethdev X-Bugzilla-Version: 24.11 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: stephen@networkplumber.org X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: dev@dpdk.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter target_milestone Message-ID: Content-Type: multipart/alternative; boundary=17316438510.Ae12Fe3Ce.869626 Content-Transfer-Encoding: 7bit X-Bugzilla-URL: http://bugs.dpdk.org/ Auto-Submitted: auto-generated X-Auto-Response-Suppress: All MIME-Version: 1.0 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org --17316438510.Ae12Fe3Ce.869626 Date: Fri, 15 Nov 2024 05:10:51 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://bugs.dpdk.org/ Auto-Submitted: auto-generated X-Auto-Response-Suppress: All https://bugs.dpdk.org/show_bug.cgi?id=3D1580 Bug ID: 1580 Summary: Nthw: array overrun Product: DPDK Version: 24.11 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: Normal Component: ethdev Assignee: dev@dpdk.org Reporter: stephen@networkplumber.org Target Milestone: --- In the article:=20 https://pvs-studio.com/en/blog/posts/cpp/1183/ Fix is not obvious, either offset the bus_type_id or change checks. Bug 35: strange check and possible array overrun static const char *const sa_nthw_fpga_bus_type_str[] =3D { "ERR", /* NTHW_FPGA_BUS_TYPE_UNKNOWN, */ "BAR", /* NTHW_FPGA_BUS_TYPE_BAR, */ "PCI", /* NTHW_FPGA_BUS_TYPE_PCI, */ "CCIP", /* NTHW_FPGA_BUS_TYPE_CCIP, */ "RAB0", /* NTHW_FPGA_BUS_TYPE_RAB0, */ "RAB1", /* NTHW_FPGA_BUS_TYPE_RAB1, */ "RAB2", /* NTHW_FPGA_BUS_TYPE_RAB2, */ "NMB", /* NTHW_FPGA_BUS_TYPE_NMB, */ "NDM", /* NTHW_FPGA_BUS_TYPE_NDM, */ }; static const char *get_bus_name(int n_bus_type_id) { if (n_bus_type_id >=3D 1 && n_bus_type_id <=3D (int)ARRAY_SIZE(sa_nthw_fpga_bus_type_str)) return sa_nthw_fpga_bus_type_str[n_bus_type_id]; else return "ERR"; } PVS-Studio warnings: V557 Array overrun is possible. The value of 'n_bus_type_id' index could re= ach 9. nthw_fpga_model.c 32 The n_bus_type_id index is checked before extracting a row from an array. T= here are two questions to this check: Why is an index starting with 1 considered valid? Why is the right boundary checked using the <=3D operator? If the index is = equal to the number of elements in the array, an Off-by-one Error will occur. I would venture to guess that the ID values in the n_bus_type_id variable s= tart with 1. This way, the mistake is that one forgot to subtract 1 before extracting an element from the array. In this case, the correct code will l= ook like this: static const char *get_bus_name(int n_bus_type_id) { if (n_bus_type_id >=3D 1 && n_bus_type_id <=3D (int)ARRAY_SIZE(sa_nthw_fpga_bus_type_str)) return sa_nthw_fpga_bus_type_str[n_bus_type_id - 1]; else return "ERR"; } I'm not sure, though. It's strange that no one noticed that the function returns the wrong lines. Perhaps the indexes are numbered from 0 after all. Then the check should be rewritten: static const char *get_bus_name(int n_bus_type_id) { if (n_bus_type_id >=3D 0 && n_bus_type_id < (int)ARRAY_SIZE(sa_nthw_fpga_bus_type_str)) return sa_nthw_fpga_bus_type_str[n_bus_type_id]; else return "ERR"; } Please forgive my uncertainty. It's the first time when I see this code. The code is obviously incorrect, but unfortunately, I am limited in time to stu= dy each found error in more depth. There are dozens of them, and one of me. --=20 You are receiving this mail because: You are the assignee for the bug.= --17316438510.Ae12Fe3Ce.869626 Date: Fri, 15 Nov 2024 05:10:51 +0100 MIME-Version: 1.0 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://bugs.dpdk.org/ Auto-Submitted: auto-generated X-Auto-Response-Suppress: All
Bug ID 1580
Summary Nthw: array overrun
Product DPDK
Version 24.11
Hardware All
OS All
Status UNCONFIRMED
Severity normal
Priority Normal
Component ethdev
Assignee dev@dpdk.org
Reporter stephen@networkplumber.org
Target Milestone --- 

In the article:=20
https://pvs-stud=
io.com/en/blog/posts/cpp/1183/
Fix is not obvious, either offset the bus_type_id or change checks.


Bug 35: strange check and poss=
ible array overrun
static const char *const sa_nthw_fpga_bus_type_str[] =3D {
  "ERR",  /* NTHW_FPGA_BUS_TYPE_UNKNOWN, */
  "BAR",  /* NTHW_FPGA_BUS_TYPE_BAR, */
  "PCI",  /* NTHW_FPGA_BUS_TYPE_PCI, */
  "CCIP",  /* NTHW_FPGA_BUS_TYPE_CCIP, */
  "RAB0",  /* NTHW_FPGA_BUS_TYPE_RAB0, */
  "RAB1",  /* NTHW_FPGA_BUS_TYPE_RAB1, */
  "RAB2",  /* NTHW_FPGA_BUS_TYPE_RAB2, */
  "NMB",  /* NTHW_FPGA_BUS_TYPE_NMB, */
  "NDM",  /* NTHW_FPGA_BUS_TYPE_NDM, */
};
static const char *get_bus_name(int n_bus_type_id)
{
  if (n_bus_type_id >=3D 1 &&
      n_bus_type_id <=3D (int)ARRAY_SIZE(sa_nthw_fpga_bus_type_str))
    return sa_nthw_fpga_bus_type_str[n_bus_type_id];
  else
    return "ERR";
}
PVS-Studio warnings:

V557 Array overrun is possible. The value of 'n_bus_type_id' index could re=
ach
9. nthw_fpga_model.c 32

The n_bus_type_id index is checked before extracting a row from an array. T=
here
are two questions to this check:

Why is an index starting with 1 considered valid?
Why is the right boundary checked using the <=3D operator? If the index =
is equal
to the number of elements in the array, an Off-by-one Error will occur.
I would venture to guess that the ID values in the n_bus_type_id variable s=
tart
with 1. This way, the mistake is that one forgot to subtract 1 before
extracting an element from the array. In this case, the correct code will l=
ook
like this:

static const char *get_bus_name(int n_bus_type_id)
{
  if (n_bus_type_id >=3D 1 &&
      n_bus_type_id <=3D (int)ARRAY_SIZE(sa_nthw_fpga_bus_type_str))
    return sa_nthw_fpga_bus_type_str[n_bus_type_id - 1];
  else
    return "ERR";
}
I'm not sure, though. It's strange that no one noticed that the function
returns the wrong lines. Perhaps the indexes are numbered from 0 after all.
Then the check should be rewritten:

static const char *get_bus_name(int n_bus_type_id)
{
  if (n_bus_type_id >=3D 0 &&
      n_bus_type_id < (int)ARRAY_SIZE(sa_nthw_fpga_bus_type_str))
    return sa_nthw_fpga_bus_type_str[n_bus_type_id];
  else
    return "ERR";
}
Please forgive my uncertainty. It's the first time when I see this code. The
code is obviously incorrect, but unfortunately, I am limited in time to stu=
dy
each found error in more depth. There are dozens of them, and one of me.

You are receiving this mail because:
  • You are the assignee for the bug.
=20=20=20=20=20=20=20=20=20=20
= --17316438510.Ae12Fe3Ce.869626--