From mboxrd@z Thu Jan  1 00:00:00 1970
From: Alan Carew <alan.carew-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
Subject: [PATCH] librte_eal: FreeBSD contigmem prevent possible
	buffer overrun during module unload.
Date: Tue, 14 Oct 2014 13:18:36 +0100
Message-ID: <1413289116-4825-1-git-send-email-alan.carew@intel.com>
To: dev-VfR2kkLFssw@public.gmane.org
Return-path: <dev-bounces-VfR2kkLFssw@public.gmane.org>
List-Id: patches and discussions about DPDK <dev.dpdk.org>
List-Unsubscribe: <http://dpdk.org/ml/options/dev>,
 <mailto:dev-request-VfR2kkLFssw@public.gmane.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev-VfR2kkLFssw@public.gmane.org>
List-Help: <mailto:dev-request-VfR2kkLFssw@public.gmane.org?subject=help>
List-Subscribe: <http://dpdk.org/ml/listinfo/dev>,
 <mailto:dev-request-VfR2kkLFssw@public.gmane.org?subject=subscribe>
Errors-To: dev-bounces-VfR2kkLFssw@public.gmane.org
Sender: "dev" <dev-bounces-VfR2kkLFssw@public.gmane.org>

The maximum mount contiguous memory regions for FreeBSD is limited by
RTE_CONTIGMEM_MAX_NUM_BUFS, a pointer to each region is stored in
static void * contigmem_buffers[RTE_CONTIGMEM_MAX_NUM_BUFS]

A user can specify a greater amount via hw.contigmem.num_buffers,
while the allocation logic will prevent this allocation from occuring the logic
in contigmem_unload() will attempt to free hw.contigmem.num_buffers and an
overrun occurs.

This patch limits the freeing to a maximum of RTE_CONTIGMEM_MAX_NUM_BUFS.

Signed-off-by: Alan Carew <alan.carew-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
---
 lib/librte_eal/bsdapp/contigmem/contigmem.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/librte_eal/bsdapp/contigmem/contigmem.c b/lib/librte_eal/bsdapp/contigmem/contigmem.c
index b71474a..b1a23fa 100644
--- a/lib/librte_eal/bsdapp/contigmem/contigmem.c
+++ b/lib/librte_eal/bsdapp/contigmem/contigmem.c
@@ -178,7 +178,7 @@ contigmem_unload()
 	if (contigmem_eh_tag != NULL)
 		EVENTHANDLER_DEREGISTER(process_exit, contigmem_eh_tag);
 
-	for (i = 0; i < contigmem_num_buffers; i++)
+	for (i = 0; i < RTE_CONTIGMEM_MAX_NUM_BUFS; i++)
 		if (contigmem_buffers[i] != NULL)
 			contigfree(contigmem_buffers[i], contigmem_buffer_size,
 					M_CONTIGMEM);
-- 
1.9.3