HI

I am using DPDK 19.11 version. Following are my findings

struct rte_ip_frag_death_row {
       uint32_t cnt;          /**< number of mbufs currently on death row */
       struct rte_mbuf *row[IP_FRAG_DEATH_ROW_MBUF_LEN];
       /**< mbufs to be freed */
};

#define      IP_FRAG_MBUF2DR(dr, mb)   ((dr)->row[(dr)->cnt++] = (mb))



When calling IP_FRAG_MBUF2DR, there is no check for cnt < IP_FRAG_DEATH_ROW_MBUF_LEN.
So whenever (cnt >= IP_FRAG_DEATH_ROW_MBUF_LEN) happens IP_FRAG_MBUF2DR will corrupt memory due to array-bound overflow.

Late arrival or non-arrival of all fragments of packets - any of these common scenarios can cause the corruption!!

Is this a known issue?

Thanks
Purnima