HI
I am using DPDK 19.11 version. Following are my findings
struct
rte_ip_frag_death_row {
uint32_t
cnt;
/**< number of mbufs currently on death row */
struct
rte_mbuf *row[IP_FRAG_DEATH_ROW_MBUF_LEN];
/**< mbufs to be freed */
};
#define
IP_FRAG_MBUF2DR(dr, mb) ((dr)->row[(dr)->cnt++]
= (mb))
When calling
IP_FRAG_MBUF2DR, there is no check for
cnt < IP_FRAG_DEATH_ROW_MBUF_LEN.
So whenever (cnt >=
IP_FRAG_DEATH_ROW_MBUF_LEN) happens
IP_FRAG_MBUF2DR will corrupt memory due to array-bound overflow.
Late arrival or non-arrival of all fragments of packets – any of these common scenarios can cause the corruption!!
Is this a known issue?
Thanks
Purnima