From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) by dpdk.org (Postfix) with ESMTP id C02497E6E for ; Tue, 14 Oct 2014 14:10:59 +0200 (CEST) Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga102.fm.intel.com with ESMTP; 14 Oct 2014 05:18:43 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.04,717,1406617200"; d="scan'208";a="605077777" Received: from sie-lab-212-143.ir.intel.com (HELO silpixa00385294.ir.intel.com) ([10.237.212.143]) by fmsmga001.fm.intel.com with ESMTP; 14 Oct 2014 05:18:42 -0700 From: Alan Carew To: dev@dpdk.org Date: Tue, 14 Oct 2014 13:18:36 +0100 Message-Id: <1413289116-4825-1-git-send-email-alan.carew@intel.com> X-Mailer: git-send-email 1.9.3 Subject: [dpdk-dev] [PATCH] librte_eal: FreeBSD contigmem prevent possible buffer overrun during module unload. X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches and discussions about DPDK List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Oct 2014 12:11:00 -0000 The maximum mount contiguous memory regions for FreeBSD is limited by RTE_CONTIGMEM_MAX_NUM_BUFS, a pointer to each region is stored in static void * contigmem_buffers[RTE_CONTIGMEM_MAX_NUM_BUFS] A user can specify a greater amount via hw.contigmem.num_buffers, while the allocation logic will prevent this allocation from occuring the logic in contigmem_unload() will attempt to free hw.contigmem.num_buffers and an overrun occurs. This patch limits the freeing to a maximum of RTE_CONTIGMEM_MAX_NUM_BUFS. Signed-off-by: Alan Carew --- lib/librte_eal/bsdapp/contigmem/contigmem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/librte_eal/bsdapp/contigmem/contigmem.c b/lib/librte_eal/bsdapp/contigmem/contigmem.c index b71474a..b1a23fa 100644 --- a/lib/librte_eal/bsdapp/contigmem/contigmem.c +++ b/lib/librte_eal/bsdapp/contigmem/contigmem.c @@ -178,7 +178,7 @@ contigmem_unload() if (contigmem_eh_tag != NULL) EVENTHANDLER_DEREGISTER(process_exit, contigmem_eh_tag); - for (i = 0; i < contigmem_num_buffers; i++) + for (i = 0; i < RTE_CONTIGMEM_MAX_NUM_BUFS; i++) if (contigmem_buffers[i] != NULL) contigfree(contigmem_buffers[i], contigmem_buffer_size, M_CONTIGMEM); -- 1.9.3