From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <qi.z.zhang@intel.com>
Received: from mga05.intel.com (mga05.intel.com [192.55.52.43])
 by dpdk.org (Postfix) with ESMTP id EE4F82BE1
 for <dev@dpdk.org>; Mon,  7 May 2018 11:50:30 +0200 (CEST)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga005.jf.intel.com ([10.7.209.41])
 by fmsmga105.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 07 May 2018 02:50:29 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.49,373,1520924400"; d="scan'208";a="222227792"
Received: from dpdk51.sh.intel.com ([10.67.110.184])
 by orsmga005.jf.intel.com with ESMTP; 07 May 2018 02:50:28 -0700
From: Qi Zhang <qi.z.zhang@intel.com>
To: adrien.mazarguil@6wind.com
Cc: yuan.peng@intel.com, wei.zhao1@intel.com, dev@dpdk.org,
 Qi Zhang <qi.z.zhang@intel.com>
Date: Mon,  7 May 2018 17:50:44 +0800
Message-Id: <20180507095044.48038-1-qi.z.zhang@intel.com>
X-Mailer: git-send-email 2.13.6
Subject: [dpdk-dev] [PATCH] app/testpmd: fix invalid memory access
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://dpdk.org/ml/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://dpdk.org/ml/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
X-List-Received-Date: Mon, 07 May 2018 09:50:31 -0000

When calulate memory size of an RTE_FLOW_ITEM_TYPE_RAW 's mask
mask->length is not the real size of binary pattern, it should take
spec->length, or memory size will be over counted (0xffff) and invalid
memory be access during following memcpy.

Fixes: d0ad8648b1c5 ("app/testpmd: fix RSS flow action configuration")

Signed-off-by: Qi Zhang <qi.z.zhang@intel.com>
---
 app/test-pmd/config.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/test-pmd/config.c b/app/test-pmd/config.c
index 16fc481ce..bcaf429c4 100644
--- a/app/test-pmd/config.c
+++ b/app/test-pmd/config.c
@@ -1077,7 +1077,8 @@ flow_item_spec_copy(void *buf, const struct rte_flow_item *item,
 		dst.raw = buf;
 		off = RTE_ALIGN_CEIL(sizeof(struct rte_flow_item_raw),
 				     sizeof(*src.raw->pattern));
-		size = off + src.raw->length * sizeof(*src.raw->pattern);
+		size = off + ((const struct rte_flow_item_raw *)item->spec)->
+			length * sizeof(*src.raw->pattern);
 		if (dst.raw) {
 			memcpy(dst.raw, src.raw, sizeof(*src.raw));
 			dst.raw->pattern = memcpy((uint8_t *)dst.raw + off,
-- 
2.13.6