[dpdk-dev] app/testpmd: fix invalid memory access
Checks
Commit Message
When calulate memory size of an RTE_FLOW_ITEM_TYPE_RAW 's mask
mask->length is not the real size of binary pattern, it should take
spec->length, or memory size will be over counted (0xffff) and invalid
memory be access during following memcpy.
Fixes: d0ad8648b1c5 ("app/testpmd: fix RSS flow action configuration")
Signed-off-by: Qi Zhang <qi.z.zhang@intel.com>
---
app/test-pmd/config.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
Comments
Hi, zhang qi
This fix patch to DPDK.or is also useful for igb flex byte core dump issue.
I have validation it. But there is some patch check warning.
https://dpdk.org/dev/patchwork/patch/39417/
> -----Original Message-----
> From: Zhang, Qi Z
> Sent: Monday, May 7, 2018 5:51 PM
> To: adrien.mazarguil@6wind.com
> Cc: Peng, Yuan <yuan.peng@intel.com>; Zhao1, Wei <wei.zhao1@intel.com>;
> dev@dpdk.org; Zhang, Qi Z <qi.z.zhang@intel.com>
> Subject: [PATCH] app/testpmd: fix invalid memory access
>
> When calulate memory size of an RTE_FLOW_ITEM_TYPE_RAW 's mask
> mask->length is not the real size of binary pattern, it should take
> spec->length, or memory size will be over counted (0xffff) and invalid
> memory be access during following memcpy.
>
> Fixes: d0ad8648b1c5 ("app/testpmd: fix RSS flow action configuration")
>
> Signed-off-by: Qi Zhang <qi.z.zhang@intel.com>
> ---
> app/test-pmd/config.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/app/test-pmd/config.c b/app/test-pmd/config.c index
> 16fc481ce..bcaf429c4 100644
> --- a/app/test-pmd/config.c
> +++ b/app/test-pmd/config.c
> @@ -1077,7 +1077,8 @@ flow_item_spec_copy(void *buf, const struct
> rte_flow_item *item,
> dst.raw = buf;
> off = RTE_ALIGN_CEIL(sizeof(struct rte_flow_item_raw),
> sizeof(*src.raw->pattern));
> - size = off + src.raw->length * sizeof(*src.raw->pattern);
> + size = off + ((const struct rte_flow_item_raw *)item->spec)->
> + length * sizeof(*src.raw->pattern);
> if (dst.raw) {
> memcpy(dst.raw, src.raw, sizeof(*src.raw));
> dst.raw->pattern = memcpy((uint8_t *)dst.raw + off,
> --
> 2.13.6
Hi Zhao Wei:
> -----Original Message-----
> From: Zhao1, Wei
> Sent: Tuesday, May 8, 2018 2:24 PM
> To: Zhang, Qi Z <qi.z.zhang@intel.com>; adrien.mazarguil@6wind.com
> Cc: Peng, Yuan <yuan.peng@intel.com>; dev@dpdk.org
> Subject: RE: [PATCH] app/testpmd: fix invalid memory access
>
> Hi, zhang qi
> This fix patch to DPDK.or is also useful for igb flex byte core dump issue.
> I have validation it. But there is some patch check warning.
> https://dpdk.org/dev/patchwork/patch/39417/
Thanks for testing, I will capture the typo if Adrien agree with the fix.
Regards
Qi
>
>
>
> > -----Original Message-----
> > From: Zhang, Qi Z
> > Sent: Monday, May 7, 2018 5:51 PM
> > To: adrien.mazarguil@6wind.com
> > Cc: Peng, Yuan <yuan.peng@intel.com>; Zhao1, Wei
> <wei.zhao1@intel.com>;
> > dev@dpdk.org; Zhang, Qi Z <qi.z.zhang@intel.com>
> > Subject: [PATCH] app/testpmd: fix invalid memory access
> >
> > When calulate memory size of an RTE_FLOW_ITEM_TYPE_RAW 's mask
> > mask->length is not the real size of binary pattern, it should take
> > spec->length, or memory size will be over counted (0xffff) and invalid
> > memory be access during following memcpy.
> >
> > Fixes: d0ad8648b1c5 ("app/testpmd: fix RSS flow action configuration")
> >
> > Signed-off-by: Qi Zhang <qi.z.zhang@intel.com>
> > ---
> > app/test-pmd/config.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/app/test-pmd/config.c b/app/test-pmd/config.c index
> > 16fc481ce..bcaf429c4 100644
> > --- a/app/test-pmd/config.c
> > +++ b/app/test-pmd/config.c
> > @@ -1077,7 +1077,8 @@ flow_item_spec_copy(void *buf, const struct
> > rte_flow_item *item,
> > dst.raw = buf;
> > off = RTE_ALIGN_CEIL(sizeof(struct rte_flow_item_raw),
> > sizeof(*src.raw->pattern));
> > - size = off + src.raw->length * sizeof(*src.raw->pattern);
> > + size = off + ((const struct rte_flow_item_raw *)item->spec)->
> > + length * sizeof(*src.raw->pattern);
> > if (dst.raw) {
> > memcpy(dst.raw, src.raw, sizeof(*src.raw));
> > dst.raw->pattern = memcpy((uint8_t *)dst.raw + off,
> > --
> > 2.13.6
07/05/2018 11:50, Qi Zhang:
> When calulate memory size of an RTE_FLOW_ITEM_TYPE_RAW 's mask
> mask->length is not the real size of binary pattern, it should take
> spec->length, or memory size will be over counted (0xffff) and invalid
> memory be access during following memcpy.
>
> Fixes: d0ad8648b1c5 ("app/testpmd: fix RSS flow action configuration")
>
> Signed-off-by: Qi Zhang <qi.z.zhang@intel.com>
Applied, thanks
@@ -1077,7 +1077,8 @@ flow_item_spec_copy(void *buf, const struct rte_flow_item *item,
dst.raw = buf;
off = RTE_ALIGN_CEIL(sizeof(struct rte_flow_item_raw),
sizeof(*src.raw->pattern));
- size = off + src.raw->length * sizeof(*src.raw->pattern);
+ size = off + ((const struct rte_flow_item_raw *)item->spec)->
+ length * sizeof(*src.raw->pattern);
if (dst.raw) {
memcpy(dst.raw, src.raw, sizeof(*src.raw));
dst.raw->pattern = memcpy((uint8_t *)dst.raw + off,