From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <simon.kagstrom@netinsight.net>
Received: from ernst.netinsight.se (ernst.netinsight.se [194.16.221.21])
 by dpdk.org (Postfix) with SMTP id EF14D2A5B
 for <dev@dpdk.org>; Fri, 16 Oct 2015 10:49:26 +0200 (CEST)
Received: from [10.100.1.152] (unverified [10.100.1.152]) by
 ernst.netinsight.se
 (EMWAC SMTPRS 0.83) with SMTP id <B0031302890@ernst.netinsight.se>;
 Fri, 16 Oct 2015 10:49:21 +0200
To: cristian.dumitrescu@intel.com, dev@dpdk.org
From: =?UTF-8?Q?Simon_K=c3=a5gstr=c3=b6m?= <simon.kagstrom@netinsight.net>
Message-ID: <5620BA12.9060702@netinsight.net>
Date: Fri, 16 Oct 2015 10:49:22 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Thunderbird/38.3.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Subject: [dpdk-dev] Unsafe array accesses in rte_sched.c
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: patches and discussions about DPDK <dev.dpdk.org>
List-Unsubscribe: <http://dpdk.org/ml/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <http://dpdk.org/ml/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Oct 2015 08:49:27 -0000

Hi!

I'm investigating DPDK support for pacing output streams and trying to
understand the QoS framework. However, I quickly found some instances of
unsafe array accesses. E.g., the rte_sched_port_config_qsize function
looks like this:

  static void
  rte_sched_port_config_qsize(struct rte_sched_port *port)
  {
        /* TC 0 */
        port->qsize_add[0] = 0;
        port->qsize_add[1] = port->qsize_add[0] + port->qsize[0];
        port->qsize_add[2] = port->qsize_add[1] + port->qsize[0];
        port->qsize_add[3] = port->qsize_add[2] + port->qsize[0];

  [...]

        /* TC 3 */
        port->qsize_add[12] = port->qsize_add[11] + port->qsize[2];
        port->qsize_add[13] = port->qsize_add[12] + port->qsize[3];
        port->qsize_add[14] = port->qsize_add[13] + port->qsize[3];
        port->qsize_add[15] = port->qsize_add[14] + port->qsize[3];

        port->qsize_sum = port->qsize_add[15] + port->qsize[3];
  }

but port->qsize is actually defined as

  uint16_t qsize[RTE_SCHED_TRAFFIC_CLASSES_PER_PIPE];

There are similar problems in rte_sched_port_log_pipe_profile() and
probably other places.


I don't understand the code well enough to send patches for these,
although the fixes should be fairly trivial. Perhaps this is already
known as it should be fairly easy to trigger with static checkers?

// Simon