From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by dpdk.org (Postfix) with ESMTP id 119FF2904 for ; Tue, 26 Apr 2016 11:44:26 +0200 (CEST) Received: from orsmga002.jf.intel.com ([10.7.209.21]) by orsmga101.jf.intel.com with ESMTP; 26 Apr 2016 02:44:14 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.24,536,1455004800"; d="scan'208";a="962873898" Received: from smonroyx-mobl.ger.corp.intel.com (HELO [10.237.220.68]) ([10.237.220.68]) by orsmga002.jf.intel.com with ESMTP; 26 Apr 2016 02:44:13 -0700 To: Bruce Richardson , Slawomir Mrozowicz References: <1461656687-5396-1-git-send-email-slawomirx.mrozowicz@intel.com> <20160426085343.GA17164@bricha3-MOBL3> Cc: david.marchand@6wind.com, dev@dpdk.org From: Sergio Gonzalez Monroy Message-ID: <571F386C.3070102@intel.com> Date: Tue, 26 Apr 2016 10:44:12 +0100 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 MIME-Version: 1.0 In-Reply-To: <20160426085343.GA17164@bricha3-MOBL3> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [dpdk-dev] [PATCH] eal: out-of-bounds write X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches and discussions about DPDK List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Apr 2016 09:44:27 -0000 On 26/04/2016 09:53, Bruce Richardson wrote: > On Tue, Apr 26, 2016 at 09:44:47AM +0200, Slawomir Mrozowicz wrote: >> Fix issue reported by Coverity. >> >> Coverity ID 13282: Out-of-bounds write >> overrun-local: Overrunning array mcfg->memseg of 256 44-byte elements >> at element index 257 using index j. >> >> Fixes: af75078fece3 ("first public release") >> >> Signed-off-by: Slawomir Mrozowicz >> --- >> lib/librte_eal/linuxapp/eal/eal_memory.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/lib/librte_eal/linuxapp/eal/eal_memory.c b/lib/librte_eal/linuxapp/eal/eal_memory.c >> index 5b9132c..1e737e4 100644 >> --- a/lib/librte_eal/linuxapp/eal/eal_memory.c >> +++ b/lib/librte_eal/linuxapp/eal/eal_memory.c >> @@ -1333,7 +1333,7 @@ rte_eal_hugepage_init(void) >> >> if (new_memseg) { >> j += 1; >> - if (j == RTE_MAX_MEMSEG) >> + if (j >= RTE_MAX_MEMSEG) >> break; >> >> mcfg->memseg[j].phys_addr = hugepage[i].physaddr; >> -- > This does appear to be a valid fix for the issue. However, looking at the code, > it appears that the only way we could actually hit the problem is if > j == RTE_MAX_MEMSEG on exiting the previous loop. Would a check there be a better > fix for this issue (or perhaps we want both fixes). > > Thoughts? It doesn't make sense to go into the loop if we don't have free memsegs. Either way we should print the error indicating that we reached MAX_MEMSEG. Sergio > /Bruce