mbuf: Fix illegal pointer access to mempool members
Checks
Commit Message
Before accessing the private data of mempool in
function rte_pktmbuf_priv_size() and rte_pktmbuf_data_room_size(),
it is necessary to determine whether the private data exists,
otherwise it will cause heap-buffer-overflow.
Signed-off-by: Wenwu Ma <wenwux.ma@intel.com>
---
lib/librte_mbuf/rte_mbuf.h | 6 ++++++
1 file changed, 6 insertions(+)
@@ -811,6 +811,9 @@ rte_pktmbuf_data_room_size(struct rte_mempool *mp)
{
struct rte_pktmbuf_pool_private *mbp_priv;
+ if (mp->private_data_size < sizeof(struct rte_pktmbuf_pool_private))
+ return 0;
+
mbp_priv = (struct rte_pktmbuf_pool_private *)rte_mempool_get_priv(mp);
return mbp_priv->mbuf_data_room_size;
}
@@ -832,6 +835,9 @@ rte_pktmbuf_priv_size(struct rte_mempool *mp)
{
struct rte_pktmbuf_pool_private *mbp_priv;
+ if (mp->private_data_size < sizeof(struct rte_pktmbuf_pool_private))
+ return 0;
+
mbp_priv = (struct rte_pktmbuf_pool_private *)rte_mempool_get_priv(mp);
return mbp_priv->mbuf_priv_size;
}