Re: [dpdk-dev] [PATCH v2 3/3] i40e: fix out-of-bounds access

DPDK patches and discussions
 help / color / mirror / Atom feed

From: Bruce Richardson <bruce.richardson@intel.com>
To: "Xing, Beilei" <beilei.xing@intel.com>
Cc: "Wu, Jingjing" <jingjing.wu@intel.com>,
	"Jastrzebski, MichalX K" <michalx.k.jastrzebski@intel.com>,
	"dev@dpdk.org" <dev@dpdk.org>
Subject: Re: [dpdk-dev] [PATCH v2 3/3] i40e: fix out-of-bounds access
Date: Fri, 8 Jul 2016 16:23:41 +0100	[thread overview]
Message-ID: <20160708152341.GA29116@bricha3-MOBL3> (raw)
In-Reply-To: <94479800C636CB44BD422CB454846E013AC228@SHSMSX101.ccr.corp.intel.com>

On Wed, Jul 06, 2016 at 03:00:17AM +0100, Xing, Beilei wrote:
> 
> 
> > -----Original Message-----
> > From: Richardson, Bruce
> > Sent: Tuesday, July 5, 2016 9:26 PM
> > To: Xing, Beilei <beilei.xing@intel.com>
> > Cc: Wu, Jingjing <jingjing.wu@intel.com>; Jastrzebski, MichalX K
> > <michalx.k.jastrzebski@intel.com>; dev@dpdk.org
> > Subject: Re: [dpdk-dev] [PATCH v2 3/3] i40e: fix out-of-bounds access
> > 
> > On Tue, Jul 05, 2016 at 02:10:05PM +0800, Beilei Xing wrote:
> > > When calling i40e_flowtype_to_pctype in
> > > i40e_get_hash_filter_global_config and
> > > i40e_set_hash_filter_global_config, function i40e_flowtype_to_pctype
> > > will be possibly out-of-bounds accessed, because size of callee's
> > > array is 15. So judge flow type before calling
> > > i40e_flowtype_to_pctype.
> > > Meanwhile do the same change in other functions.
> > >
> > > Coverity issue: 37793, 37794
> > >
> > > Fixes: 782c8c92f13f ("i40e: add hash configuration")
> > > Fixes: f2b2e2354bbd ("i40e: split function for hash and flow director
> > > input")
> > > Fixes: 98f055707685 ("i40e: configure input fields for RSS or flow
> > > director")
> > >
> > > Signed-off-by: Beilei Xing <beilei.xing@intel.com>
> > > ---
> > >  drivers/net/i40e/i40e_ethdev.c | 21 ++++++++++++---------
> > >  1 file changed, 12 insertions(+), 9 deletions(-)
> > >
> > > diff --git a/drivers/net/i40e/i40e_ethdev.c
> > > b/drivers/net/i40e/i40e_ethdev.c index a1cad37..111a552 100644
> > > --- a/drivers/net/i40e/i40e_ethdev.c
> > > +++ b/drivers/net/i40e/i40e_ethdev.c
> > > @@ -6908,6 +6908,9 @@ i40e_get_hash_filter_global_config(struct
> > i40e_hw *hw,
> > >  		mask &= ~(1UL << i);
> > >  		/* Bit set indicats the coresponding flow type is supported */
> > >  		g_cfg->valid_bit_mask[0] |= (1UL << i);
> > > +		/* if flowtype is invalid, continue */
> > > +		if (!I40E_VALID_FLOW(i))
> > > +			continue;
> > >  		pctype = i40e_flowtype_to_pctype(i);
> > >  		reg = i40e_read_rx_ctl(hw, I40E_GLQF_HSYM(pctype));
> > >  		if (reg & I40E_GLQF_HSYM_SYMH_ENA_MASK)
> > 
> > Rather than having the same check done in multiple places, is there a reason
> > why we can't just put the check once in i40e_flowtype_to_pctype?
> 
> Since the return value type of i40e_flowtype_to_pctype is " enum
> i40e_filter_pctype ", although put the check in i40e_flowtype_to_pctype,
> we should check return value after every i40e_flowtype_to_pctype calling.

Ok, point taken. If we don't check before the call, then the call itself could
return an error which would then need to be checked anyway.

> I think there's no more improvement.
> Besides, check valid flow type is called before i40e_flowtype_to_pctype in
> some places previously, such as function i40e_hash_filter_inset_select
> and i40e_fdir_filter_inset_select.

That's not a reason to keep on putting more checks in other places. It's more
of a reason why the check needs to be centralised. However, from your reasoning
above it doesn't help much, since for these existing cases you'd be just changing
one check for another.

Acked-by: Bruce Richarson <bruce.richardson@intel.com>

next prev parent reply	other threads:[~2016-07-08 15:23 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-06-30  7:34 [dpdk-dev] [PATCH 0/4] i40e: fix coverity defects Beilei Xing
2016-07-04 13:58 ` Bruce Richardson
2016-07-05  1:47   ` Xing, Beilei
2016-07-05  6:10 ` [dpdk-dev] [PATCH v2 0/3] " Beilei Xing
2016-07-05  6:10   ` [dpdk-dev] [PATCH v2 1/3] i40e: fix log error Beilei Xing
2016-07-05 13:24     ` Bruce Richardson
2016-07-05  6:10   ` [dpdk-dev] [PATCH v2 2/3] i40e: fix dereference before null check Beilei Xing
2016-07-05 13:24     ` Bruce Richardson
2016-07-05  6:10   ` [dpdk-dev] [PATCH v2 3/3] i40e: fix out-of-bounds access Beilei Xing
2016-07-05 13:26     ` Bruce Richardson
2016-07-06  2:00       ` Xing, Beilei
2016-07-08 15:23         ` Bruce Richardson [this message]
2016-07-08 15:33   ` [dpdk-dev] [PATCH v2 0/3] fix coverity defects Bruce Richardson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160708152341.GA29116@bricha3-MOBL3 \
    --to=bruce.richardson@intel.com \
    --cc=beilei.xing@intel.com \
    --cc=dev@dpdk.org \
    --cc=jingjing.wu@intel.com \
    --cc=michalx.k.jastrzebski@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).