From mboxrd@z Thu Jan 1 00:00:00 1970 From: Bruce Richardson Subject: Re: [PATCH] eal: out-of-bounds write Date: Tue, 26 Apr 2016 09:53:44 +0100 Message-ID: <20160426085343.GA17164@bricha3-MOBL3> References: <1461656687-5396-1-git-send-email-slawomirx.mrozowicz@intel.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: david.marchand@6wind.com, dev@dpdk.org To: Slawomir Mrozowicz Return-path: Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by dpdk.org (Postfix) with ESMTP id F1D262B89 for ; Tue, 26 Apr 2016 10:53:47 +0200 (CEST) Content-Disposition: inline In-Reply-To: <1461656687-5396-1-git-send-email-slawomirx.mrozowicz@intel.com> List-Id: patches and discussions about DPDK List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" On Tue, Apr 26, 2016 at 09:44:47AM +0200, Slawomir Mrozowicz wrote: > Fix issue reported by Coverity. > > Coverity ID 13282: Out-of-bounds write > overrun-local: Overrunning array mcfg->memseg of 256 44-byte elements > at element index 257 using index j. > > Fixes: af75078fece3 ("first public release") > > Signed-off-by: Slawomir Mrozowicz > --- > lib/librte_eal/linuxapp/eal/eal_memory.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/lib/librte_eal/linuxapp/eal/eal_memory.c b/lib/librte_eal/linuxapp/eal/eal_memory.c > index 5b9132c..1e737e4 100644 > --- a/lib/librte_eal/linuxapp/eal/eal_memory.c > +++ b/lib/librte_eal/linuxapp/eal/eal_memory.c > @@ -1333,7 +1333,7 @@ rte_eal_hugepage_init(void) > > if (new_memseg) { > j += 1; > - if (j == RTE_MAX_MEMSEG) > + if (j >= RTE_MAX_MEMSEG) > break; > > mcfg->memseg[j].phys_addr = hugepage[i].physaddr; > -- This does appear to be a valid fix for the issue. However, looking at the code, it appears that the only way we could actually hit the problem is if j == RTE_MAX_MEMSEG on exiting the previous loop. Would a check there be a better fix for this issue (or perhaps we want both fixes). Thoughts? /Bruce