From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?UTF-8?Q?Simon_K=c3=a5gstr=c3=b6m?= Subject: Unsafe array accesses in rte_sched.c Date: Fri, 16 Oct 2015 10:49:22 +0200 Message-ID: <5620BA12.9060702@netinsight.net> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit To: cristian.dumitrescu@intel.com, dev@dpdk.org Return-path: Received: from ernst.netinsight.se (ernst.netinsight.se [194.16.221.21]) by dpdk.org (Postfix) with SMTP id EF14D2A5B for ; Fri, 16 Oct 2015 10:49:26 +0200 (CEST) List-Id: patches and discussions about DPDK List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Hi! I'm investigating DPDK support for pacing output streams and trying to understand the QoS framework. However, I quickly found some instances of unsafe array accesses. E.g., the rte_sched_port_config_qsize function looks like this: static void rte_sched_port_config_qsize(struct rte_sched_port *port) { /* TC 0 */ port->qsize_add[0] = 0; port->qsize_add[1] = port->qsize_add[0] + port->qsize[0]; port->qsize_add[2] = port->qsize_add[1] + port->qsize[0]; port->qsize_add[3] = port->qsize_add[2] + port->qsize[0]; [...] /* TC 3 */ port->qsize_add[12] = port->qsize_add[11] + port->qsize[2]; port->qsize_add[13] = port->qsize_add[12] + port->qsize[3]; port->qsize_add[14] = port->qsize_add[13] + port->qsize[3]; port->qsize_add[15] = port->qsize_add[14] + port->qsize[3]; port->qsize_sum = port->qsize_add[15] + port->qsize[3]; } but port->qsize is actually defined as uint16_t qsize[RTE_SCHED_TRAFFIC_CLASSES_PER_PIPE]; There are similar problems in rte_sched_port_log_pipe_profile() and probably other places. I don't understand the code well enough to send patches for these, although the fixes should be fairly trivial. Perhaps this is already known as it should be fairly easy to trigger with static checkers? // Simon