From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <slawomirx.mrozowicz@intel.com>
Received: from mga01.intel.com (mga01.intel.com [192.55.52.88])
 by dpdk.org (Postfix) with ESMTP id 9304F682B
 for <dev@dpdk.org>; Tue, 14 Jun 2016 10:06:49 +0200 (CEST)
Received: from orsmga002.jf.intel.com ([10.7.209.21])
 by fmsmga101.fm.intel.com with ESMTP; 14 Jun 2016 01:06:48 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.26,470,1459839600"; d="scan'208";a="997169170"
Received: from gklab-246-019.igk.intel.com (HELO intel.com) ([10.217.246.19])
 by orsmga002.jf.intel.com with SMTP; 14 Jun 2016 01:06:45 -0700
Received: by intel.com (sSMTP sendmail emulation);
 Tue, 14 Jun 2016 11:02:39 +0200
From: Slawomir Mrozowicz <slawomirx.mrozowicz@intel.com>
To: david.marchand@6wind.com
Cc: dev@dpdk.org,
	Slawomir Mrozowicz <slawomirx.mrozowicz@intel.com>
Date: Tue, 14 Jun 2016 11:02:36 +0200
Message-Id: <1465894956-14016-1-git-send-email-slawomirx.mrozowicz@intel.com>
X-Mailer: git-send-email 1.9.1
Subject: [dpdk-dev] [PATCH v3] eal: out-of-bounds write
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: patches and discussions about DPDK <dev.dpdk.org>
List-Unsubscribe: <http://dpdk.org/ml/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <http://dpdk.org/ml/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jun 2016 08:06:50 -0000

Overrunning array mcfg->memseg of 256 44-byte elements
at element index 257 using index j.
Fixed by add condition with message information.

Fixes: af75078fece3 ("first public release")
Coverity ID 13282

Signed-off-by: Slawomir Mrozowicz <slawomirx.mrozowicz@intel.com>
---
 lib/librte_eal/linuxapp/eal/eal_memory.c | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/lib/librte_eal/linuxapp/eal/eal_memory.c b/lib/librte_eal/linuxapp/eal/eal_memory.c
index 5b9132c..6a2daf5 100644
--- a/lib/librte_eal/linuxapp/eal/eal_memory.c
+++ b/lib/librte_eal/linuxapp/eal/eal_memory.c
@@ -1301,6 +1301,15 @@ rte_eal_hugepage_init(void)
 			break;
 		}
 
+	if (j >= RTE_MAX_MEMSEG) {
+		RTE_LOG(ERR, EAL,
+			"Failed: all memsegs used by ivshmem.\n"
+			"Current %d is not enough.\n"
+			"Please either increase the RTE_MAX_MEMSEG\n",
+			RTE_MAX_MEMSEG);
+		return -ENOMEM;
+	}
+
 	for (i = 0; i < nr_hugefiles; i++) {
 		new_memseg = 0;
 
@@ -1333,8 +1342,14 @@ rte_eal_hugepage_init(void)
 
 		if (new_memseg) {
 			j += 1;
-			if (j == RTE_MAX_MEMSEG)
-				break;
+			if (j >= RTE_MAX_MEMSEG) {
+				RTE_LOG(ERR, EAL,
+					"Failed: all memsegs used by ivshmem.\n"
+					"Current %d is not enough.\n"
+					"Please either increase the RTE_MAX_MEMSEG\n",
+					RTE_MAX_MEMSEG);
+				return -ENOMEM;
+			}
 
 			mcfg->memseg[j].phys_addr = hugepage[i].physaddr;
 			mcfg->memseg[j].addr = hugepage[i].final_va;
-- 
1.9.1