DPDK patches and discussions
 help / color / mirror / Atom feed
* [dpdk-dev] [PATCH] app/testpmd: fix invalid memory access
@ 2018-05-07  9:50 Qi Zhang
  2018-05-08  6:24 ` Zhao1, Wei
  2018-05-09 13:58 ` Thomas Monjalon
  0 siblings, 2 replies; 7+ messages in thread
From: Qi Zhang @ 2018-05-07  9:50 UTC (permalink / raw)
  To: adrien.mazarguil; +Cc: yuan.peng, wei.zhao1, dev, Qi Zhang

When calulate memory size of an RTE_FLOW_ITEM_TYPE_RAW 's mask
mask->length is not the real size of binary pattern, it should take
spec->length, or memory size will be over counted (0xffff) and invalid
memory be access during following memcpy.

Fixes: d0ad8648b1c5 ("app/testpmd: fix RSS flow action configuration")

Signed-off-by: Qi Zhang <qi.z.zhang@intel.com>
---
 app/test-pmd/config.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/test-pmd/config.c b/app/test-pmd/config.c
index 16fc481ce..bcaf429c4 100644
--- a/app/test-pmd/config.c
+++ b/app/test-pmd/config.c
@@ -1077,7 +1077,8 @@ flow_item_spec_copy(void *buf, const struct rte_flow_item *item,
 		dst.raw = buf;
 		off = RTE_ALIGN_CEIL(sizeof(struct rte_flow_item_raw),
 				     sizeof(*src.raw->pattern));
-		size = off + src.raw->length * sizeof(*src.raw->pattern);
+		size = off + ((const struct rte_flow_item_raw *)item->spec)->
+			length * sizeof(*src.raw->pattern);
 		if (dst.raw) {
 			memcpy(dst.raw, src.raw, sizeof(*src.raw));
 			dst.raw->pattern = memcpy((uint8_t *)dst.raw + off,
-- 
2.13.6

^ permalink raw reply	[flat|nested] 7+ messages in thread
* [dpdk-dev] [PATCH] app/testpmd: fix invalid memory access
@ 2021-10-12  7:36 skori
  2021-10-12  7:50 ` Li, Xiaoyun
  0 siblings, 1 reply; 7+ messages in thread
From: skori @ 2021-10-12  7:36 UTC (permalink / raw)
  To: Xiaoyun Li; +Cc: dev, Sunil Kumar Kori, stable

From: Sunil Kumar Kori <skori@marvell.com>

During parsing of DSCP entries, memory is allocated and assgined
to *dscp_table. Later on, same memory is accessed using
*dscp_table[i++].

Due to higher precedence for array subscript, dscp_table[i++] will
be executed first which actually does not point to the same memory
which was allocated previously for DSCP table entries.

Cc: stable@dpdk.org

Fixes: e63b50162aa3 ("app/testpmd: clean metering and policing commands")

Signed-off-by: Sunil Kumar Kori <skori@marvell.com>
---
 app/test-pmd/cmdline_mtr.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/test-pmd/cmdline_mtr.c b/app/test-pmd/cmdline_mtr.c
index b5dcfdadcf..ad7ef6ad98 100644
--- a/app/test-pmd/cmdline_mtr.c
+++ b/app/test-pmd/cmdline_mtr.c
@@ -101,13 +101,13 @@ parse_dscp_table_entries(char *str, enum rte_color **dscp_table)
 	while (1) {
 		if (strcmp(token, "G") == 0 ||
 			strcmp(token, "g") == 0)
-			*dscp_table[i++] = RTE_COLOR_GREEN;
+			(*dscp_table)[i++] = RTE_COLOR_GREEN;
 		else if (strcmp(token, "Y") == 0 ||
 			strcmp(token, "y") == 0)
-			*dscp_table[i++] = RTE_COLOR_YELLOW;
+			(*dscp_table)[i++] = RTE_COLOR_YELLOW;
 		else if (strcmp(token, "R") == 0 ||
 			strcmp(token, "r") == 0)
-			*dscp_table[i++] = RTE_COLOR_RED;
+			(*dscp_table)[i++] = RTE_COLOR_RED;
 		else {
 			free(*dscp_table);
 			return -1;
-- 
2.25.1


^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2021-10-12  8:21 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-05-07  9:50 [dpdk-dev] [PATCH] app/testpmd: fix invalid memory access Qi Zhang
2018-05-08  6:24 ` Zhao1, Wei
2018-05-08  8:31   ` Zhang, Qi Z
2018-05-09 13:58 ` Thomas Monjalon
2021-10-12  7:36 skori
2021-10-12  7:50 ` Li, Xiaoyun
2021-10-12  8:21   ` Sunil Kumar Kori

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).