[dpdk-dev] Unsafe array accesses in rte_sched.c

Simon Kågström simon.kagstrom at netinsight.net
Fri Oct 16 10:49:22 CEST 2015


Hi!

I'm investigating DPDK support for pacing output streams and trying to
understand the QoS framework. However, I quickly found some instances of
unsafe array accesses. E.g., the rte_sched_port_config_qsize function
looks like this:

  static void
  rte_sched_port_config_qsize(struct rte_sched_port *port)
  {
        /* TC 0 */
        port->qsize_add[0] = 0;
        port->qsize_add[1] = port->qsize_add[0] + port->qsize[0];
        port->qsize_add[2] = port->qsize_add[1] + port->qsize[0];
        port->qsize_add[3] = port->qsize_add[2] + port->qsize[0];

  [...]

        /* TC 3 */
        port->qsize_add[12] = port->qsize_add[11] + port->qsize[2];
        port->qsize_add[13] = port->qsize_add[12] + port->qsize[3];
        port->qsize_add[14] = port->qsize_add[13] + port->qsize[3];
        port->qsize_add[15] = port->qsize_add[14] + port->qsize[3];

        port->qsize_sum = port->qsize_add[15] + port->qsize[3];
  }

but port->qsize is actually defined as

  uint16_t qsize[RTE_SCHED_TRAFFIC_CLASSES_PER_PIPE];

There are similar problems in rte_sched_port_log_pipe_profile() and
probably other places.


I don't understand the code well enough to send patches for these,
although the fixes should be fairly trivial. Perhaps this is already
known as it should be fairly easy to trigger with static checkers?

// Simon



More information about the dev mailing list