HI

 

I am using DPDK 19.11 version. Following are my findings

 

struct rte_ip_frag_death_row {

       uint32_t cnt;          /**< number of mbufs currently on death row */

       struct rte_mbuf *row[IP_FRAG_DEATH_ROW_MBUF_LEN];

       /**< mbufs to be freed */

};

 

#define      IP_FRAG_MBUF2DR(dr, mb)   ((dr)->row[(dr)->cnt++] = (mb))

 

 

 

When calling IP_FRAG_MBUF2DR, there is no check for cnt < IP_FRAG_DEATH_ROW_MBUF_LEN.

So whenever (cnt >= IP_FRAG_DEATH_ROW_MBUF_LEN) happens IP_FRAG_MBUF2DR will corrupt memory due to array-bound overflow.

 

Late arrival or non-arrival of all fragments of packets – any of these common scenarios can cause the corruption!!

 

Is this a known issue?

 

Thanks

Purnima