From patchwork Wed Apr 25 10:15:38 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anatoly Burakov X-Patchwork-Id: 38884 X-Patchwork-Delegate: thomas@monjalon.net Return-Path: X-Original-To: patchwork@dpdk.org Delivered-To: patchwork@dpdk.org Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 877D05920; Wed, 25 Apr 2018 12:15:47 +0200 (CEST) Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by dpdk.org (Postfix) with ESMTP id 167075593 for ; Wed, 25 Apr 2018 12:15:42 +0200 (CEST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga004.jf.intel.com ([10.7.209.38]) by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 25 Apr 2018 03:15:42 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.49,325,1520924400"; d="scan'208";a="194247472" Received: from irvmail001.ir.intel.com ([163.33.26.43]) by orsmga004.jf.intel.com with ESMTP; 25 Apr 2018 03:15:40 -0700 Received: from sivswdev01.ir.intel.com (sivswdev01.ir.intel.com [10.237.217.45]) by irvmail001.ir.intel.com (8.14.3/8.13.6/MailSET/Hub) with ESMTP id w3PAFdXO017683; Wed, 25 Apr 2018 11:15:40 +0100 Received: from sivswdev01.ir.intel.com (localhost [127.0.0.1]) by sivswdev01.ir.intel.com with ESMTP id w3PAFd3S003758; Wed, 25 Apr 2018 11:15:39 +0100 Received: (from aburakov@localhost) by sivswdev01.ir.intel.com with LOCAL id w3PAFd1a003754; Wed, 25 Apr 2018 11:15:39 +0100 From: Anatoly Burakov To: dev@dpdk.org Cc: thomas@monjalon.net, anatoly.burakov@intel.com Date: Wed, 25 Apr 2018 11:15:38 +0100 Message-Id: <157358c48a85cad762a1afb850d130be98997726.1524651111.git.anatoly.burakov@intel.com> X-Mailer: git-send-email 1.7.0.7 In-Reply-To: References: In-Reply-To: References: Subject: [dpdk-dev] [PATCH v2 2/3] malloc: fix potential out-of-bounds array access X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Technically, while the pointer would've been invalid if msl_idx were invalid, we wouldn't have actually attempted to access the pointer until verifying the index. Fix it by moving array access to after we've verified validity of the index. Coverity issue: 272574 Fixes: 66cc45e293ed ("mem: replace memseg with memseg lists") Cc: anatoly.burakov@intel.com Signed-off-by: Anatoly Burakov Acked-by: Harry van Haaren --- lib/librte_eal/common/malloc_heap.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/librte_eal/common/malloc_heap.c b/lib/librte_eal/common/malloc_heap.c index 590e9e3..5cf7231 100644 --- a/lib/librte_eal/common/malloc_heap.c +++ b/lib/librte_eal/common/malloc_heap.c @@ -99,11 +99,12 @@ malloc_add_seg(const struct rte_memseg_list *msl, /* msl is const, so find it */ msl_idx = msl - mcfg->memsegs; - found_msl = &mcfg->memsegs[msl_idx]; if (msl_idx < 0 || msl_idx >= RTE_MAX_MEMSEG_LISTS) return -1; + found_msl = &mcfg->memsegs[msl_idx]; + malloc_heap_add_memory(heap, found_msl, ms->addr, len); RTE_LOG(DEBUG, EAL, "Added %zuM to heap on socket %i\n", len >> 20,