diff mbox

[dpdk-dev] lib/librte_pipeline:fix the array index out of bound

Message ID 1503471932-22577-1-git-send-email-xie.rongqiang@zte.com.cn (mailing list archive)
State Rejected, archived
Headers

Checks

Context Check Description
ci/checkpatch success coding style OK
ci/Intel-compilation success Compilation OK

Commit Message

Xie RongQiang Aug. 23, 2017, 7:05 a.m. UTC 
  In function rte_pipeline_compute_masks(), the value pos equal
p->entries[i]->action,type constraint p->entries[i]->action is
[0,4],but array action_mask1 size is 4,it possible attempt to
access element 4 of array action_mask1.And also in function
rte_pipeline_run(),it possible attempt to access element 4 of
array action_mask0.

Signed-off-by: Rongqiang XIE <xie.rongqiang@zte.com.cn>
---
 lib/librte_pipeline/rte_pipeline.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Cristian Dumitrescu Sept. 20, 2017, 12:01 p.m. UTC | #1 
> -----Original Message-----
> From: Rongqiang XIE [mailto:xie.rongqiang@zte.com.cn]
> Sent: Wednesday, August 23, 2017 8:06 AM
> To: Dumitrescu, Cristian <cristian.dumitrescu@intel.com>
> Cc: dev@dpdk.org; Rongqiang XIE <xie.rongqiang@zte.com.cn>
> Subject: [PATCH] lib/librte_pipeline:fix the array index out of bound
> 
> In function rte_pipeline_compute_masks(), the value pos equal
> p->entries[i]->action,type constraint p->entries[i]->action is
> [0,4],but array action_mask1 size is 4,it possible attempt to
> access element 4 of array action_mask1.And also in function
> rte_pipeline_run(),it possible attempt to access element 4 of
> array action_mask0.
> 
> Signed-off-by: Rongqiang XIE <xie.rongqiang@zte.com.cn>
> ---
>  lib/librte_pipeline/rte_pipeline.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/lib/librte_pipeline/rte_pipeline.c
> b/lib/librte_pipeline/rte_pipeline.c
> index 7f8fbac..2914445 100644
> --- a/lib/librte_pipeline/rte_pipeline.c
> +++ b/lib/librte_pipeline/rte_pipeline.c
> @@ -155,8 +155,8 @@ struct rte_pipeline {
>  	/* Pipeline run structures */
>  	struct rte_mbuf *pkts[RTE_PORT_IN_BURST_SIZE_MAX];
>  	struct rte_pipeline_table_entry
> *entries[RTE_PORT_IN_BURST_SIZE_MAX];
> -	uint64_t action_mask0[RTE_PIPELINE_ACTIONS];
> -	uint64_t action_mask1[RTE_PIPELINE_ACTIONS];
> +	uint64_t action_mask0[RTE_PIPELINE_ACTIONS + 1];
> +	uint64_t action_mask1[RTE_PIPELINE_ACTIONS + 1];
>  	uint64_t pkts_mask;
>  	uint64_t n_pkts_ah_drop;
>  	uint64_t pkts_drop_mask;
> --
> 1.8.3.1
> 
> 

NAK

Hi Rongqiang,

Thanks for your patch, but I think there is a confusion on your side here:

	pos = p->entries[i]->action can only be 0 .. 3 (and not: 0 .. 4), as the last value in the enum rte_pipeline_action, namely RTE_PIPELINE_ACTIONS (equal to 4), is not a valid action, but the number of valid actions (which are specified by enu values 0 ..3).

Makes sense?

Regards,
Cristian
diff mbox

Patch

diff --git a/lib/librte_pipeline/rte_pipeline.c b/lib/librte_pipeline/rte_pipeline.c
index 7f8fbac..2914445 100644
--- a/lib/librte_pipeline/rte_pipeline.c
+++ b/lib/librte_pipeline/rte_pipeline.c
@@ -155,8 +155,8 @@  struct rte_pipeline {
 	/* Pipeline run structures */
 	struct rte_mbuf *pkts[RTE_PORT_IN_BURST_SIZE_MAX];
 	struct rte_pipeline_table_entry *entries[RTE_PORT_IN_BURST_SIZE_MAX];
-	uint64_t action_mask0[RTE_PIPELINE_ACTIONS];
-	uint64_t action_mask1[RTE_PIPELINE_ACTIONS];
+	uint64_t action_mask0[RTE_PIPELINE_ACTIONS + 1];
+	uint64_t action_mask1[RTE_PIPELINE_ACTIONS + 1];
 	uint64_t pkts_mask;
 	uint64_t n_pkts_ah_drop;
 	uint64_t pkts_drop_mask;