[v2] bonding: fix overflow check
Checks
Commit Message
Buffer 'test_params->slave_port_ids' of size 6 accessed may
overflow, since its index 'i' can have value be is out of range.
This patch fixed it.
Fixes: 92073ef961ee ("bond: unit tests")
Cc: stable@dpdk.org
Signed-off-by: Min Hu (Connor) <humin29@huawei.com>
---
v2:
* fix bonded_slave_count value.
---
app/test/test_link_bonding.c | 3 +++
1 file changed, 3 insertions(+)
Comments
On 4/27/2021 2:40 AM, Min Hu (Connor) wrote:
> Buffer 'test_params->slave_port_ids' of size 6 accessed may
> overflow, since its index 'i' can have value be is out of range.
>
> This patch fixed it.
>
> Fixes: 92073ef961ee ("bond: unit tests")
> Cc: stable@dpdk.org
>
> Signed-off-by: Min Hu (Connor) <humin29@huawei.com>
> ---
> v2:
> * fix bonded_slave_count value.
> ---
> app/test/test_link_bonding.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/app/test/test_link_bonding.c b/app/test/test_link_bonding.c
> index 8a5c831..f8abb22 100644
> --- a/app/test/test_link_bonding.c
> +++ b/app/test/test_link_bonding.c
> @@ -2216,6 +2216,9 @@ test_activebackup_rx_burst(void)
> "failed to get primary slave for bonded port (%d)",
> test_params->bonded_port_id);
>
> + if (test_params->bonded_slave_count > TEST_MAX_NUMBER_OF_PORTS)
> + test_params->bonded_slave_count = TEST_MAX_NUMBER_OF_PORTS;
> +
Hi Connor,
Similar comment as previous version, what is the root cause, how
'bonded_slave_count' end up being bigger than 'TEST_MAX_NUMBER_OF_PORTS'?
> for (i = 0; i < test_params->bonded_slave_count; i++) {
> /* Generate test bursts of packets to transmit */
> TEST_ASSERT_EQUAL(generate_test_burst(
>
在 2021/4/29 21:33, Ferruh Yigit 写道:
> On 4/27/2021 2:40 AM, Min Hu (Connor) wrote:
>> Buffer 'test_params->slave_port_ids' of size 6 accessed may
>> overflow, since its index 'i' can have value be is out of range.
>>
>> This patch fixed it.
>>
>> Fixes: 92073ef961ee ("bond: unit tests")
>> Cc: stable@dpdk.org
>>
>> Signed-off-by: Min Hu (Connor) <humin29@huawei.com>
>> ---
>> v2:
>> * fix bonded_slave_count value.
>> ---
>> app/test/test_link_bonding.c | 3 +++
>> 1 file changed, 3 insertions(+)
>>
>> diff --git a/app/test/test_link_bonding.c b/app/test/test_link_bonding.c
>> index 8a5c831..f8abb22 100644
>> --- a/app/test/test_link_bonding.c
>> +++ b/app/test/test_link_bonding.c
>> @@ -2216,6 +2216,9 @@ test_activebackup_rx_burst(void)
>> "failed to get primary slave for bonded port (%d)",
>> test_params->bonded_port_id);
>>
>> + if (test_params->bonded_slave_count > TEST_MAX_NUMBER_OF_PORTS)
>> + test_params->bonded_slave_count = TEST_MAX_NUMBER_OF_PORTS;
>> +
>
> Hi Connor,
>
> Similar comment as previous version, what is the root cause, how
> 'bonded_slave_count' end up being bigger than 'TEST_MAX_NUMBER_OF_PORTS'?
>
Hi Ferruh,
Currently, it will not happen.
But if the testcase extended, for instance,
"test_add_slave_to_bonded_device" is called over
TEST_MAX_NUMBER_OF_PORTS(6) times in
"test_add_already_bonded_slave_to_bonded_device",
then 'bonded_slave_count' will be bigger than
'TEST_MAX_NUMBER_OF_PORTS'.
>> for (i = 0; i < test_params->bonded_slave_count; i++) {
>> /* Generate test bursts of packets to transmit */
>> TEST_ASSERT_EQUAL(generate_test_burst(
>>
>
> .
>
On 4/30/2021 3:54 AM, Min Hu (Connor) wrote:
>
>
> 在 2021/4/29 21:33, Ferruh Yigit 写道:
>> On 4/27/2021 2:40 AM, Min Hu (Connor) wrote:
>>> Buffer 'test_params->slave_port_ids' of size 6 accessed may
>>> overflow, since its index 'i' can have value be is out of range.
>>>
>>> This patch fixed it.
>>>
>>> Fixes: 92073ef961ee ("bond: unit tests")
>>> Cc: stable@dpdk.org
>>>
>>> Signed-off-by: Min Hu (Connor) <humin29@huawei.com>
>>> ---
>>> v2:
>>> * fix bonded_slave_count value.
>>> ---
>>> app/test/test_link_bonding.c | 3 +++
>>> 1 file changed, 3 insertions(+)
>>>
>>> diff --git a/app/test/test_link_bonding.c b/app/test/test_link_bonding.c
>>> index 8a5c831..f8abb22 100644
>>> --- a/app/test/test_link_bonding.c
>>> +++ b/app/test/test_link_bonding.c
>>> @@ -2216,6 +2216,9 @@ test_activebackup_rx_burst(void)
>>> "failed to get primary slave for bonded port (%d)",
>>> test_params->bonded_port_id);
>>> + if (test_params->bonded_slave_count > TEST_MAX_NUMBER_OF_PORTS)
>>> + test_params->bonded_slave_count = TEST_MAX_NUMBER_OF_PORTS;
>>> +
>>
>> Hi Connor,
>>
>> Similar comment as previous version, what is the root cause, how
>> 'bonded_slave_count' end up being bigger than 'TEST_MAX_NUMBER_OF_PORTS'?
>>
> Hi Ferruh,
> Currently, it will not happen.
> But if the testcase extended, for instance,
> "test_add_slave_to_bonded_device" is called over
> TEST_MAX_NUMBER_OF_PORTS(6) times in
> "test_add_already_bonded_slave_to_bonded_device",
> then 'bonded_slave_count' will be bigger than
> 'TEST_MAX_NUMBER_OF_PORTS'.
>
What do you think adding 'test_params->bonded_slave_count' check at the
beginning of the 'test_add_slave_to_bonded_device()' and fail test case if it is
bigger than 'TEST_MAX_NUMBER_OF_PORTS'?
>>> for (i = 0; i < test_params->bonded_slave_count; i++) {
>>> /* Generate test bursts of packets to transmit */
>>> TEST_ASSERT_EQUAL(generate_test_burst(
>>>
>>
>> .
>>
@@ -2216,6 +2216,9 @@ test_activebackup_rx_burst(void)
"failed to get primary slave for bonded port (%d)",
test_params->bonded_port_id);
+ if (test_params->bonded_slave_count > TEST_MAX_NUMBER_OF_PORTS)
+ test_params->bonded_slave_count = TEST_MAX_NUMBER_OF_PORTS;
+
for (i = 0; i < test_params->bonded_slave_count; i++) {
/* Generate test bursts of packets to transmit */
TEST_ASSERT_EQUAL(generate_test_burst(