[PATCH 2/3] net/bonding: fix illegal memory accesses
Chaoyong He
chaoyong.he at corigine.com
Tue Oct 10 08:23:03 CEST 2023
From: Long Wu <long.wu at corigine.com>
CI found that overrunning array of 32 2-byte elements at
element index 65535 (byte offset 131071) by dereferencing
pointer "members + agg_new_idx".
Coverity issue: 403099
Fixes: 6d72657ce379 ("net/bonding: add other aggregator modes")
Cc: danielx.t.mrzyglod at intel.com
Cc: stable at dpdk.org
Signed-off-by: Long Wu <long.wu at corigine.com>
Reviewed-by: Chaoyong He <chaoyong.he at corigine.com>
Reviewed-by: Peng Zhang <peng.zhang at corigine.com>
---
drivers/net/bonding/rte_eth_bond_8023ad.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/bonding/rte_eth_bond_8023ad.c b/drivers/net/bonding/rte_eth_bond_8023ad.c
index 677067870f..0be33f61e3 100644
--- a/drivers/net/bonding/rte_eth_bond_8023ad.c
+++ b/drivers/net/bonding/rte_eth_bond_8023ad.c
@@ -732,10 +732,14 @@ selection_logic(struct bond_dev_private *internals, uint16_t member_id)
switch (internals->mode4.agg_selection) {
case AGG_COUNT:
agg_new_idx = max_index(agg_count, members_count);
+ if (agg_new_idx >= members_count)
+ agg_new_idx = default_member;
new_agg_id = members[agg_new_idx];
break;
case AGG_BANDWIDTH:
agg_new_idx = max_index(agg_bandwidth, members_count);
+ if (agg_new_idx >= members_count)
+ agg_new_idx = default_member;
new_agg_id = members[agg_new_idx];
break;
case AGG_STABLE:
--
2.39.1
More information about the stable
mailing list