From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id A55A4A0C3F;
	Wed, 12 May 2021 04:19:32 +0200 (CEST)
Received: from [217.70.189.124] (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id 22B594003F;
	Wed, 12 May 2021 04:19:31 +0200 (CEST)
Received: from szxga06-in.huawei.com (szxga06-in.huawei.com [45.249.212.32])
 by mails.dpdk.org (Postfix) with ESMTP id 259F04003E
 for <dev@dpdk.org>; Wed, 12 May 2021 04:19:29 +0200 (CEST)
Received: from DGGEMS401-HUB.china.huawei.com (unknown [172.30.72.59])
 by szxga06-in.huawei.com (SkyGuard) with ESMTP id 4Ffz2M4SyXzlcj3
 for <dev@dpdk.org>; Wed, 12 May 2021 10:17:15 +0800 (CST)
Received: from localhost.localdomain (10.69.192.56) by
 DGGEMS401-HUB.china.huawei.com (10.3.19.201) with Microsoft SMTP Server id
 14.3.498.0; Wed, 12 May 2021 10:19:20 +0800
From: "Min Hu (Connor)" <humin29@huawei.com>
To: <dev@dpdk.org>
CC: <ferruh.yigit@intel.com>, <david.hunt@intel.com>
Date: Wed, 12 May 2021 10:19:19 +0800
Message-ID: <1620785959-61903-1-git-send-email-humin29@huawei.com>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1619355594-15223-1-git-send-email-humin29@huawei.com>
References: <1619355594-15223-1-git-send-email-humin29@huawei.com>
MIME-Version: 1.0
Content-Type: text/plain
X-Originating-IP: [10.69.192.56]
X-CFilter-Loop: Reflected
Subject: [dpdk-dev] [PATCH v2] lib/librte_power: fix using variables before
 validity check
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

From: HongBo Zheng <zhenghongbo3@huawei.com>

In function power_guest_channel_read_msg, 'lcore_id' is used before
validity check, which may cause buffer 'global_fds' accessed by index
'lcore_id' overflow.

This patch moves the validity check of 'lcore_id' before the 'lcore_id'
being used for the first time.

Fixes: 9dc843eb273b ("power: extend guest channel API for reading")
Cc: stable@dpdk.org

Signed-off-by: HongBo Zheng <zhenghongbo3@huawei.com>
Signed-off-by: Min Hu (Connor) <humin29@huawei.com>
---
v2:
* "global_fds[lcore_id]"  check may move before the line
"fds.fd = global_fds[lcore_id].
---
 lib/power/guest_channel.c | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/lib/power/guest_channel.c b/lib/power/guest_channel.c
index 2f7507a..474dd92 100644
--- a/lib/power/guest_channel.c
+++ b/lib/power/guest_channel.c
@@ -166,6 +166,17 @@ int power_guest_channel_read_msg(void *pkt,
 	if (pkt_len == 0 || pkt == NULL)
 		return -1;
 
+	if (lcore_id >= RTE_MAX_LCORE) {
+		RTE_LOG(ERR, GUEST_CHANNEL, "Channel(%u) is out of range 0...%d\n",
+				lcore_id, RTE_MAX_LCORE-1);
+		return -1;
+	}
+
+	if (global_fds[lcore_id] < 0) {
+		RTE_LOG(ERR, GUEST_CHANNEL, "Channel is not connected\n");
+		return -1;
+	}
+
 	fds.fd = global_fds[lcore_id];
 	fds.events = POLLIN;
 
@@ -179,17 +190,6 @@ int power_guest_channel_read_msg(void *pkt,
 		return -1;
 	}
 
-	if (lcore_id >= RTE_MAX_LCORE) {
-		RTE_LOG(ERR, GUEST_CHANNEL, "Channel(%u) is out of range 0...%d\n",
-				lcore_id, RTE_MAX_LCORE-1);
-		return -1;
-	}
-
-	if (global_fds[lcore_id] < 0) {
-		RTE_LOG(ERR, GUEST_CHANNEL, "Channel is not connected\n");
-		return -1;
-	}
-
 	while (pkt_len > 0) {
 		ret = read(global_fds[lcore_id],
 				pkt, pkt_len);
-- 
2.7.4