From patchwork Wed Mar 31 19:02:55 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Ma, WenwuX" <wenwux.ma@intel.com>
X-Patchwork-Id: 90169
X-Patchwork-Delegate: thomas@monjalon.net
Return-Path: <dev-bounces@dpdk.org>
X-Original-To: patchwork@inbox.dpdk.org
Delivered-To: patchwork@inbox.dpdk.org
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 24182A034F;
	Wed, 31 Mar 2021 09:09:24 +0200 (CEST)
Received: from [217.70.189.124] (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id 09DE5406A3;
	Wed, 31 Mar 2021 09:09:24 +0200 (CEST)
Received: from mga14.intel.com (mga14.intel.com [192.55.52.115])
 by mails.dpdk.org (Postfix) with ESMTP id 1AC8140141
 for <dev@dpdk.org>; Wed, 31 Mar 2021 09:09:20 +0200 (CEST)
IronPort-SDR: 
 wxrtRsLKxoyFXEU6mE4w8bA8clKhtxfZLqMJBJlpWOica3EM3+lcwBuK625Y+D6H9VunfHGmo6
 0EeUkxGVVHIw==
X-IronPort-AV: E=McAfee;i="6000,8403,9939"; a="191412808"
X-IronPort-AV: E=Sophos;i="5.81,293,1610438400"; d="scan'208";a="191412808"
Received: from orsmga008.jf.intel.com ([10.7.209.65])
 by fmsmga103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 31 Mar 2021 00:09:19 -0700
IronPort-SDR: 
 KSNxxKiGPQ32992UXXsoCjn5lVF1kC6XDE8bAuFXOWnL/3Sl2PluMPf8gh7voT9ImJ2h0Q0rrT
 6tn/iVLntoIw==
X-IronPort-AV: E=Sophos;i="5.81,293,1610438400"; d="scan'208";a="418531844"
Received: from unknown (HELO localhost.localdomain) ([10.240.183.109])
 by orsmga008-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 31 Mar 2021 00:09:16 -0700
From: Wenwu Ma <wenwux.ma@intel.com>
To: olivier.matz@6wind.com
Cc: dev@dpdk.org
Date: Wed, 31 Mar 2021 19:02:55 +0000
Message-Id: <20210331190255.3995-1-wenwux.ma@intel.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
Subject: [dpdk-dev] [PATCH] mbuf: Fix illegal pointer access to mempool
 members
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

Before accessing the private data of mempool in
function rte_pktmbuf_priv_size() and rte_pktmbuf_data_room_size(),
it is necessary to determine whether the private data exists,
otherwise it will cause heap-buffer-overflow.

Signed-off-by: Wenwu Ma <wenwux.ma@intel.com>
---
 lib/librte_mbuf/rte_mbuf.h | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lib/librte_mbuf/rte_mbuf.h b/lib/librte_mbuf/rte_mbuf.h
index c4c9ebfaa..6c2559550 100644
--- a/lib/librte_mbuf/rte_mbuf.h
+++ b/lib/librte_mbuf/rte_mbuf.h
@@ -811,6 +811,9 @@ rte_pktmbuf_data_room_size(struct rte_mempool *mp)
 {
 	struct rte_pktmbuf_pool_private *mbp_priv;
 
+	if (mp->private_data_size < sizeof(struct rte_pktmbuf_pool_private))
+		return 0;
+
 	mbp_priv = (struct rte_pktmbuf_pool_private *)rte_mempool_get_priv(mp);
 	return mbp_priv->mbuf_data_room_size;
 }
@@ -832,6 +835,9 @@ rte_pktmbuf_priv_size(struct rte_mempool *mp)
 {
 	struct rte_pktmbuf_pool_private *mbp_priv;
 
+	if (mp->private_data_size < sizeof(struct rte_pktmbuf_pool_private))
+		return 0;
+
 	mbp_priv = (struct rte_pktmbuf_pool_private *)rte_mempool_get_priv(mp);
 	return mbp_priv->mbuf_priv_size;
 }