diff mbox series

mbuf: Fix illegal pointer access to mempool members

Message ID	20210331134319.3035-1-wenwux.ma@intel.com (mailing list archive)
State	Superseded, archived
Headers	IronPort-SDR: WV8Srh0NaieOITPVCCXB4S0IiczQNuG3xGoeCQ62ON8IKzxPvYvfhB3fkQ45Ruuue+oDyQx2CM jOfqE6KKSBng== IronPort-SDR: deY54XH9ccT+pCqlCjFt7gAgj+ck+XkuQ3/zoD10AP4XOKefRQqMGEgDclyywdQOyETeLkXm1/ HiIsr/DP+VCw== From: Wenwu Ma <wenwux.ma@intel.com> To: olivier.matz@6wind.com, dev@dpdk.org Cc: Wenwu Ma <wenwux.ma@intel.com> Date: Wed, 31 Mar 2021 13:43:19 +0000 Message-Id: <20210331134319.3035-1-wenwux.ma@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [dpdk-dev] [PATCH] mbuf: Fix illegal pointer access to mempool members Precedence: list Errors-To: dev-bounces@dpdk.org Sender: "dev" <dev-bounces@dpdk.org>
Series	mbuf: Fix illegal pointer access to mempool members \| mbuf: Fix illegal pointer access to mempool members

Checks

Context	Check	Description
ci/checkpatch	success	coding style OK
ci/Intel-compilation	success	Compilation OK
ci/intel-Testing	success	Testing PASS
ci/iol-abi-testing	success	Testing PASS
ci/travis-robot	success	travis build: passed
ci/github-robot	success	github build: passed
ci/iol-mellanox-Performance	success	Performance Testing PASS
ci/iol-testing	warning	Testing issues

Commit Message

Ma, WenwuX March 31, 2021, 1:43 p.m. UTC

  Before accessing the private data of mempool in
function rte_pktmbuf_priv_size() and rte_pktmbuf_data_room_size(),
it is necessary to determine whether the private data exists,
otherwise it will cause null pointer access.

Signed-off-by: Wenwu Ma <wenwux.ma@intel.com>
---
 lib/librte_mbuf/rte_mbuf.h | 6 ++++++
 1 file changed, 6 insertions(+)

Comments

Jerin Jacob March 31, 2021, 7:12 a.m. UTC | #1

On Wed, Mar 31, 2021 at 7:19 AM Wenwu Ma <wenwux.ma@intel.com> wrote:
>
> Before accessing the private data of mempool in
> function rte_pktmbuf_priv_size() and rte_pktmbuf_data_room_size(),
> it is necessary to determine whether the private data exists,
> otherwise it will cause null pointer access.
>
> Signed-off-by: Wenwu Ma <wenwux.ma@intel.com>
> ---
>  lib/librte_mbuf/rte_mbuf.h | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/lib/librte_mbuf/rte_mbuf.h b/lib/librte_mbuf/rte_mbuf.h
> index c4c9ebfaa..6c2559550 100644
> --- a/lib/librte_mbuf/rte_mbuf.h
> +++ b/lib/librte_mbuf/rte_mbuf.h
> @@ -811,6 +811,9 @@ rte_pktmbuf_data_room_size(struct rte_mempool *mp)
>  {
>         struct rte_pktmbuf_pool_private *mbp_priv;
>
> +       if (mp->private_data_size < sizeof(struct rte_pktmbuf_pool_private))
> +               return 0;

If mp->private_data_size updated in the slow path at mempool create
time, why not have this sanity check in the slow path?


> +
>         mbp_priv = (struct rte_pktmbuf_pool_private *)rte_mempool_get_priv(mp);
>         return mbp_priv->mbuf_data_room_size;
>  }
> @@ -832,6 +835,9 @@ rte_pktmbuf_priv_size(struct rte_mempool *mp)
>  {
>         struct rte_pktmbuf_pool_private *mbp_priv;
>
> +       if (mp->private_data_size < sizeof(struct rte_pktmbuf_pool_private))
> +               return 0;
> +
>         mbp_priv = (struct rte_pktmbuf_pool_private *)rte_mempool_get_priv(mp);
>         return mbp_priv->mbuf_priv_size;
>  }
> --
> 2.25.1
>

diff mbox series

Patch

diff --git a/lib/librte_mbuf/rte_mbuf.h b/lib/librte_mbuf/rte_mbuf.h
index c4c9ebfaa..6c2559550 100644
--- a/lib/librte_mbuf/rte_mbuf.h
+++ b/lib/librte_mbuf/rte_mbuf.h
@@ -811,6 +811,9 @@  rte_pktmbuf_data_room_size(struct rte_mempool *mp)
 {
 	struct rte_pktmbuf_pool_private *mbp_priv;
 
+	if (mp->private_data_size < sizeof(struct rte_pktmbuf_pool_private))
+		return 0;
+
 	mbp_priv = (struct rte_pktmbuf_pool_private *)rte_mempool_get_priv(mp);
 	return mbp_priv->mbuf_data_room_size;
 }
@@ -832,6 +835,9 @@  rte_pktmbuf_priv_size(struct rte_mempool *mp)
 {
 	struct rte_pktmbuf_pool_private *mbp_priv;
 
+	if (mp->private_data_size < sizeof(struct rte_pktmbuf_pool_private))
+		return 0;
+
 	mbp_priv = (struct rte_pktmbuf_pool_private *)rte_mempool_get_priv(mp);
 	return mbp_priv->mbuf_priv_size;
 }