diff mbox

[dpdk-dev] app/testpmd: fix invalid memory access

Message ID 20180507095044.48038-1-qi.z.zhang@intel.com (mailing list archive)
State Accepted, archived
Headers

Checks

Context Check Description
ci/checkpatch warning coding style issues
ci/Intel-compilation success Compilation OK

Commit Message

Qi Zhang May 7, 2018, 9:50 a.m. UTC 
  When calulate memory size of an RTE_FLOW_ITEM_TYPE_RAW 's mask
mask->length is not the real size of binary pattern, it should take
spec->length, or memory size will be over counted (0xffff) and invalid
memory be access during following memcpy.

Fixes: d0ad8648b1c5 ("app/testpmd: fix RSS flow action configuration")

Signed-off-by: Qi Zhang <qi.z.zhang@intel.com>
---
 app/test-pmd/config.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Zhao1, Wei May 8, 2018, 6:24 a.m. UTC | #1 
Hi, zhang qi 
  This  fix patch to DPDK.or is also useful for igb flex byte core dump issue.
I have validation it. But there is some patch check warning.
https://dpdk.org/dev/patchwork/patch/39417/



> -----Original Message-----
> From: Zhang, Qi Z
> Sent: Monday, May 7, 2018 5:51 PM
> To: adrien.mazarguil@6wind.com
> Cc: Peng, Yuan <yuan.peng@intel.com>; Zhao1, Wei <wei.zhao1@intel.com>;
> dev@dpdk.org; Zhang, Qi Z <qi.z.zhang@intel.com>
> Subject: [PATCH] app/testpmd: fix invalid memory access
> 
> When calulate memory size of an RTE_FLOW_ITEM_TYPE_RAW 's mask
> mask->length is not the real size of binary pattern, it should take
> spec->length, or memory size will be over counted (0xffff) and invalid
> memory be access during following memcpy.
> 
> Fixes: d0ad8648b1c5 ("app/testpmd: fix RSS flow action configuration")
> 
> Signed-off-by: Qi Zhang <qi.z.zhang@intel.com>
> ---
>  app/test-pmd/config.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/app/test-pmd/config.c b/app/test-pmd/config.c index
> 16fc481ce..bcaf429c4 100644
> --- a/app/test-pmd/config.c
> +++ b/app/test-pmd/config.c
> @@ -1077,7 +1077,8 @@ flow_item_spec_copy(void *buf, const struct
> rte_flow_item *item,
>  		dst.raw = buf;
>  		off = RTE_ALIGN_CEIL(sizeof(struct rte_flow_item_raw),
>  				     sizeof(*src.raw->pattern));
> -		size = off + src.raw->length * sizeof(*src.raw->pattern);
> +		size = off + ((const struct rte_flow_item_raw *)item->spec)->
> +			length * sizeof(*src.raw->pattern);
>  		if (dst.raw) {
>  			memcpy(dst.raw, src.raw, sizeof(*src.raw));
>  			dst.raw->pattern = memcpy((uint8_t *)dst.raw + off,
> --
> 2.13.6
Qi Zhang May 8, 2018, 8:31 a.m. UTC | #2 
Hi Zhao Wei:

> -----Original Message-----
> From: Zhao1, Wei
> Sent: Tuesday, May 8, 2018 2:24 PM
> To: Zhang, Qi Z <qi.z.zhang@intel.com>; adrien.mazarguil@6wind.com
> Cc: Peng, Yuan <yuan.peng@intel.com>; dev@dpdk.org
> Subject: RE: [PATCH] app/testpmd: fix invalid memory access
> 
> Hi, zhang qi
>   This  fix patch to DPDK.or is also useful for igb flex byte core dump issue.
> I have validation it. But there is some patch check warning.
> https://dpdk.org/dev/patchwork/patch/39417/

Thanks for testing, I will capture the typo if Adrien agree with the fix.

Regards
Qi

> 
> 
> 
> > -----Original Message-----
> > From: Zhang, Qi Z
> > Sent: Monday, May 7, 2018 5:51 PM
> > To: adrien.mazarguil@6wind.com
> > Cc: Peng, Yuan <yuan.peng@intel.com>; Zhao1, Wei
> <wei.zhao1@intel.com>;
> > dev@dpdk.org; Zhang, Qi Z <qi.z.zhang@intel.com>
> > Subject: [PATCH] app/testpmd: fix invalid memory access
> >
> > When calulate memory size of an RTE_FLOW_ITEM_TYPE_RAW 's mask
> > mask->length is not the real size of binary pattern, it should take
> > spec->length, or memory size will be over counted (0xffff) and invalid
> > memory be access during following memcpy.
> >
> > Fixes: d0ad8648b1c5 ("app/testpmd: fix RSS flow action configuration")
> >
> > Signed-off-by: Qi Zhang <qi.z.zhang@intel.com>
> > ---
> >  app/test-pmd/config.c | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/app/test-pmd/config.c b/app/test-pmd/config.c index
> > 16fc481ce..bcaf429c4 100644
> > --- a/app/test-pmd/config.c
> > +++ b/app/test-pmd/config.c
> > @@ -1077,7 +1077,8 @@ flow_item_spec_copy(void *buf, const struct
> > rte_flow_item *item,
> >  		dst.raw = buf;
> >  		off = RTE_ALIGN_CEIL(sizeof(struct rte_flow_item_raw),
> >  				     sizeof(*src.raw->pattern));
> > -		size = off + src.raw->length * sizeof(*src.raw->pattern);
> > +		size = off + ((const struct rte_flow_item_raw *)item->spec)->
> > +			length * sizeof(*src.raw->pattern);
> >  		if (dst.raw) {
> >  			memcpy(dst.raw, src.raw, sizeof(*src.raw));
> >  			dst.raw->pattern = memcpy((uint8_t *)dst.raw + off,
> > --
> > 2.13.6
Thomas Monjalon May 9, 2018, 1:58 p.m. UTC | #3 
07/05/2018 11:50, Qi Zhang:
> When calulate memory size of an RTE_FLOW_ITEM_TYPE_RAW 's mask
> mask->length is not the real size of binary pattern, it should take
> spec->length, or memory size will be over counted (0xffff) and invalid
> memory be access during following memcpy.
> 
> Fixes: d0ad8648b1c5 ("app/testpmd: fix RSS flow action configuration")
> 
> Signed-off-by: Qi Zhang <qi.z.zhang@intel.com>

Applied, thanks
diff mbox

Patch

diff --git a/app/test-pmd/config.c b/app/test-pmd/config.c
index 16fc481ce..bcaf429c4 100644
--- a/app/test-pmd/config.c
+++ b/app/test-pmd/config.c
@@ -1077,7 +1077,8 @@  flow_item_spec_copy(void *buf, const struct rte_flow_item *item,
 		dst.raw = buf;
 		off = RTE_ALIGN_CEIL(sizeof(struct rte_flow_item_raw),
 				     sizeof(*src.raw->pattern));
-		size = off + src.raw->length * sizeof(*src.raw->pattern);
+		size = off + ((const struct rte_flow_item_raw *)item->spec)->
+			length * sizeof(*src.raw->pattern);
 		if (dst.raw) {
 			memcpy(dst.raw, src.raw, sizeof(*src.raw));
 			dst.raw->pattern = memcpy((uint8_t *)dst.raw + off,