| Bug ID | 1791 |
|---|---|
| Summary | cnxk driver reference past requested xstat array |
| Product | DPDK |
| Version | 25.07 |
| Hardware | All |
| OS | All |
| Status | UNCONFIRMED |
| Severity | normal |
| Priority | Normal |
| Component | ethdev |
| Assignee | dev@dpdk.org |
| Reporter | stephen@networkplumber.org |
| Target Milestone | --- |
Because the cnxk driver ignores the limit arguement in some functions such as xstat_names_get(). If the application asks for only some of the values in the xstats then an out of bounds reference is possible. Something like: struct rte_esth_xstat_name names[20]; rte_eth_xstat_get_names(port_id, names, 20); will cause out of bound array reference down here: int roc_nix_xstats_names_get(struct roc_nix *roc_nix, struct roc_nix_xstat_name *xstats_names, unsigned int limit) { struct nix *nix = roc_nix_to_nix_priv(roc_nix); struct idev_cfg *idev = idev_get_cfg(); uint64_t i, count = 0; PLT_SET_USED(limit); for (i = 0; i < CNXK_NIX_NUM_TX_XSTATS; i++) { NIX_XSTATS_NAME_PRINT(xstats_names, count, nix_tx_xstats, i); count++; }