From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by dpdk.org (Postfix) with ESMTP id EE4F82BE1 for ; Mon, 7 May 2018 11:50:30 +0200 (CEST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga105.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 May 2018 02:50:29 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.49,373,1520924400"; d="scan'208";a="222227792" Received: from dpdk51.sh.intel.com ([10.67.110.184]) by orsmga005.jf.intel.com with ESMTP; 07 May 2018 02:50:28 -0700 From: Qi Zhang To: adrien.mazarguil@6wind.com Cc: yuan.peng@intel.com, wei.zhao1@intel.com, dev@dpdk.org, Qi Zhang Date: Mon, 7 May 2018 17:50:44 +0800 Message-Id: <20180507095044.48038-1-qi.z.zhang@intel.com> X-Mailer: git-send-email 2.13.6 Subject: [dpdk-dev] [PATCH] app/testpmd: fix invalid memory access X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 May 2018 09:50:31 -0000 When calulate memory size of an RTE_FLOW_ITEM_TYPE_RAW 's mask mask->length is not the real size of binary pattern, it should take spec->length, or memory size will be over counted (0xffff) and invalid memory be access during following memcpy. Fixes: d0ad8648b1c5 ("app/testpmd: fix RSS flow action configuration") Signed-off-by: Qi Zhang --- app/test-pmd/config.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/app/test-pmd/config.c b/app/test-pmd/config.c index 16fc481ce..bcaf429c4 100644 --- a/app/test-pmd/config.c +++ b/app/test-pmd/config.c @@ -1077,7 +1077,8 @@ flow_item_spec_copy(void *buf, const struct rte_flow_item *item, dst.raw = buf; off = RTE_ALIGN_CEIL(sizeof(struct rte_flow_item_raw), sizeof(*src.raw->pattern)); - size = off + src.raw->length * sizeof(*src.raw->pattern); + size = off + ((const struct rte_flow_item_raw *)item->spec)-> + length * sizeof(*src.raw->pattern); if (dst.raw) { memcpy(dst.raw, src.raw, sizeof(*src.raw)); dst.raw->pattern = memcpy((uint8_t *)dst.raw + off, -- 2.13.6