[dpdk-dev] Unsafe array accesses in rte_sched.c
Simon Kågström
simon.kagstrom at netinsight.net
Fri Oct 16 10:49:22 CEST 2015
Hi!
I'm investigating DPDK support for pacing output streams and trying to
understand the QoS framework. However, I quickly found some instances of
unsafe array accesses. E.g., the rte_sched_port_config_qsize function
looks like this:
static void
rte_sched_port_config_qsize(struct rte_sched_port *port)
{
/* TC 0 */
port->qsize_add[0] = 0;
port->qsize_add[1] = port->qsize_add[0] + port->qsize[0];
port->qsize_add[2] = port->qsize_add[1] + port->qsize[0];
port->qsize_add[3] = port->qsize_add[2] + port->qsize[0];
[...]
/* TC 3 */
port->qsize_add[12] = port->qsize_add[11] + port->qsize[2];
port->qsize_add[13] = port->qsize_add[12] + port->qsize[3];
port->qsize_add[14] = port->qsize_add[13] + port->qsize[3];
port->qsize_add[15] = port->qsize_add[14] + port->qsize[3];
port->qsize_sum = port->qsize_add[15] + port->qsize[3];
}
but port->qsize is actually defined as
uint16_t qsize[RTE_SCHED_TRAFFIC_CLASSES_PER_PIPE];
There are similar problems in rte_sched_port_log_pipe_profile() and
probably other places.
I don't understand the code well enough to send patches for these,
although the fixes should be fairly trivial. Perhaps this is already
known as it should be fairly easy to trigger with static checkers?
// Simon
More information about the dev
mailing list