bonding: fix overflow check
Checks
Commit Message
Buffer 'test_params->slave_port_ids' of size 6 accessed may
overflow, since its index 'i' can have value be is out of range.
This patch fixed it.
Fixes: 92073ef961ee ("bond: unit tests")
Cc: stable@dpdk.org
Signed-off-by: Min Hu (Connor) <humin29@huawei.com>
---
app/test/test_link_bonding.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
Comments
On 4/22/2021 10:22 AM, Min Hu (Connor) wrote:
> Buffer 'test_params->slave_port_ids' of size 6 accessed may
> overflow, since its index 'i' can have value be is out of range.
>
> This patch fixed it.
>
> Fixes: 92073ef961ee ("bond: unit tests")
> Cc: stable@dpdk.org
>
> Signed-off-by: Min Hu (Connor) <humin29@huawei.com>
> ---
> app/test/test_link_bonding.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/app/test/test_link_bonding.c b/app/test/test_link_bonding.c
> index 8a5c831..b5a6042 100644
> --- a/app/test/test_link_bonding.c
> +++ b/app/test/test_link_bonding.c
> @@ -2216,7 +2216,8 @@ test_activebackup_rx_burst(void)
> "failed to get primary slave for bonded port (%d)",
> test_params->bonded_port_id);
>
> - for (i = 0; i < test_params->bonded_slave_count; i++) {
> + for (i = 0; i < test_params->bonded_slave_count &&
> + i < TEST_MAX_NUMBER_OF_PORTS; i++) {
> /* Generate test bursts of packets to transmit */
> TEST_ASSERT_EQUAL(generate_test_burst(
> &gen_pkt_burst[0], burst_size, 0, 1, 0, 0, 0),
>
Hi Connor,
There is nothing wrong with the check you add, but at first place how
'test_params->bonded_slave_count' can become bigger than
'TEST_MAX_NUMBER_OF_PORTS'? Should we fix there, instead of this loop?
Also in same function, there are a few more loops iterate until " <
test_params->bonded_slave_count", so fixing the root case works for them too.
在 2021/4/26 23:08, Ferruh Yigit 写道:
> On 4/22/2021 10:22 AM, Min Hu (Connor) wrote:
>> Buffer 'test_params->slave_port_ids' of size 6 accessed may
>> overflow, since its index 'i' can have value be is out of range.
>>
>> This patch fixed it.
>>
>> Fixes: 92073ef961ee ("bond: unit tests")
>> Cc: stable@dpdk.org
>>
>> Signed-off-by: Min Hu (Connor) <humin29@huawei.com>
>> ---
>> app/test/test_link_bonding.c | 3 ++-
>> 1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/app/test/test_link_bonding.c b/app/test/test_link_bonding.c
>> index 8a5c831..b5a6042 100644
>> --- a/app/test/test_link_bonding.c
>> +++ b/app/test/test_link_bonding.c
>> @@ -2216,7 +2216,8 @@ test_activebackup_rx_burst(void)
>> "failed to get primary slave for bonded port (%d)",
>> test_params->bonded_port_id);
>>
>> - for (i = 0; i < test_params->bonded_slave_count; i++) {
>> + for (i = 0; i < test_params->bonded_slave_count &&
>> + i < TEST_MAX_NUMBER_OF_PORTS; i++) {
>> /* Generate test bursts of packets to transmit */
>> TEST_ASSERT_EQUAL(generate_test_burst(
>> &gen_pkt_burst[0], burst_size, 0, 1, 0, 0, 0),
>>
>
> Hi Connor,
>
> There is nothing wrong with the check you add, but at first place how
> 'test_params->bonded_slave_count' can become bigger than
> 'TEST_MAX_NUMBER_OF_PORTS'? Should we fix there, instead of this loop?
>
> Also in same function, there are a few more loops iterate until " <
> test_params->bonded_slave_count", so fixing the root case works for them too.
>
Hi, fixed in v2, thanks.
>
@@ -2216,7 +2216,8 @@ test_activebackup_rx_burst(void)
"failed to get primary slave for bonded port (%d)",
test_params->bonded_port_id);
- for (i = 0; i < test_params->bonded_slave_count; i++) {
+ for (i = 0; i < test_params->bonded_slave_count &&
+ i < TEST_MAX_NUMBER_OF_PORTS; i++) {
/* Generate test bursts of packets to transmit */
TEST_ASSERT_EQUAL(generate_test_burst(
&gen_pkt_burst[0], burst_size, 0, 1, 0, 0, 0),