From mboxrd@z Thu Jan  1 00:00:00 1970
From: Anatoly Burakov <anatoly.burakov@intel.com>
Subject: [PATCH v2 1/2] mem: check if allocation size is too big
Date: Mon, 30 Apr 2018 12:21:42 +0100
Message-ID: <fb6d9b6f3bbead5f9ab3e9906814d35431b9edf5.1525086045.git.anatoly.burakov@intel.com>
References: <be863f870fc02ea6464d15c87fa43e9d274f3240.1524155435.git.anatoly.burakov@intel.com>
Cc: bruce.richardson@intel.com
To: dev@dpdk.org
Return-path: <dev-bounces@dpdk.org>
Received: from mga11.intel.com (mga11.intel.com [192.55.52.93])
 by dpdk.org (Postfix) with ESMTP id 80D03F64
 for <dev@dpdk.org>; Mon, 30 Apr 2018 13:21:46 +0200 (CEST)
In-Reply-To: <be863f870fc02ea6464d15c87fa43e9d274f3240.1524155435.git.anatoly.burakov@intel.com>
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://dpdk.org/ml/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://dpdk.org/ml/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

Mapping size is a 64-bit integer, but mmap() will accept size_t for
size mappings. A user could request a mapping with an alignment, which
would have overflown size_t, so check if (size + alignment) will
overflow size_t.

Signed-off-by: Anatoly Burakov <anatoly.burakov@intel.com>
---
 lib/librte_eal/common/eal_common_memory.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/librte_eal/common/eal_common_memory.c b/lib/librte_eal/common/eal_common_memory.c
index 4c943b0..0ac7b33 100644
--- a/lib/librte_eal/common/eal_common_memory.c
+++ b/lib/librte_eal/common/eal_common_memory.c
@@ -75,8 +75,13 @@ eal_get_virtual_area(void *requested_addr, size_t *size,
 
 	do {
 		map_sz = no_align ? *size : *size + page_sz;
+		if (map_sz > SIZE_MAX) {
+			RTE_LOG(ERR, EAL, "Map size too big\n");
+			rte_errno = E2BIG;
+			return NULL;
+		}
 
-		mapped_addr = mmap(requested_addr, map_sz, PROT_READ,
+		mapped_addr = mmap(requested_addr, (size_t)map_sz, PROT_READ,
 				mmap_flags, -1, 0);
 		if (mapped_addr == MAP_FAILED && allow_shrink)
 			*size -= page_sz;
-- 
2.7.4