From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by dpdk.org (Postfix) with ESMTP id 4B322CF9E for ; Tue, 17 Apr 2018 17:48:21 +0200 (CEST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 17 Apr 2018 08:48:19 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.48,464,1517904000"; d="scan'208";a="33284086" Received: from irvmail001.ir.intel.com ([163.33.26.43]) by fmsmga008.fm.intel.com with ESMTP; 17 Apr 2018 08:48:18 -0700 Received: from sivswdev01.ir.intel.com (sivswdev01.ir.intel.com [10.237.217.45]) by irvmail001.ir.intel.com (8.14.3/8.13.6/MailSET/Hub) with ESMTP id w3HFmIop031000; Tue, 17 Apr 2018 16:48:18 +0100 Received: from sivswdev01.ir.intel.com (localhost [127.0.0.1]) by sivswdev01.ir.intel.com with ESMTP id w3HFmIlS024779; Tue, 17 Apr 2018 16:48:18 +0100 Received: (from aburakov@localhost) by sivswdev01.ir.intel.com with LOCAL id w3HFmIjJ024775; Tue, 17 Apr 2018 16:48:18 +0100 From: Anatoly Burakov To: dev@dpdk.org Cc: thomas@monjalon.net, anatoly.burakov@intel.com Date: Tue, 17 Apr 2018 16:48:14 +0100 Message-Id: X-Mailer: git-send-email 1.7.0.7 In-Reply-To: References: In-Reply-To: References: Subject: [dpdk-dev] [PATCH 2/5] malloc: fix potential out-of-bounds array access X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Apr 2018 15:48:21 -0000 Technically, while the pointer would've been invalid if msl_idx were invalid, we wouldn't have actually attempted to access the pointer until verifying the index. Fix it by moving array access to after we've verified validity of the index. Coverity issue: 272574 Fixes: 66cc45e293ed ("mem: replace memseg with memseg lists") Cc: anatoly.burakov@intel.com Signed-off-by: Anatoly Burakov --- lib/librte_eal/common/malloc_heap.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/librte_eal/common/malloc_heap.c b/lib/librte_eal/common/malloc_heap.c index 590e9e3..5cf7231 100644 --- a/lib/librte_eal/common/malloc_heap.c +++ b/lib/librte_eal/common/malloc_heap.c @@ -99,11 +99,12 @@ malloc_add_seg(const struct rte_memseg_list *msl, /* msl is const, so find it */ msl_idx = msl - mcfg->memsegs; - found_msl = &mcfg->memsegs[msl_idx]; if (msl_idx < 0 || msl_idx >= RTE_MAX_MEMSEG_LISTS) return -1; + found_msl = &mcfg->memsegs[msl_idx]; + malloc_heap_add_memory(heap, found_msl, ms->addr, len); RTE_LOG(DEBUG, EAL, "Added %zuM to heap on socket %i\n", len >> 20, -- 2.7.4