[PATCH 2/3] net/bonding: fix illegal memory accesses
Ferruh Yigit
ferruh.yigit at amd.com
Tue Oct 31 15:51:19 CET 2023
On 10/10/2023 7:23 AM, Chaoyong He wrote:
> From: Long Wu <long.wu at corigine.com>
>
> CI found that overrunning array of 32 2-byte elements at
> element index 65535 (byte offset 131071) by dereferencing
> pointer "members + agg_new_idx".
>
> Coverity issue: 403099
> Fixes: 6d72657ce379 ("net/bonding: add other aggregator modes")
> Cc: danielx.t.mrzyglod at intel.com
> Cc: stable at dpdk.org
>
> Signed-off-by: Long Wu <long.wu at corigine.com>
> Reviewed-by: Chaoyong He <chaoyong.he at corigine.com>
> Reviewed-by: Peng Zhang <peng.zhang at corigine.com>
> ---
> drivers/net/bonding/rte_eth_bond_8023ad.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/net/bonding/rte_eth_bond_8023ad.c b/drivers/net/bonding/rte_eth_bond_8023ad.c
> index 677067870f..0be33f61e3 100644
> --- a/drivers/net/bonding/rte_eth_bond_8023ad.c
> +++ b/drivers/net/bonding/rte_eth_bond_8023ad.c
> @@ -732,10 +732,14 @@ selection_logic(struct bond_dev_private *internals, uint16_t member_id)
> switch (internals->mode4.agg_selection) {
> case AGG_COUNT:
> agg_new_idx = max_index(agg_count, members_count);
> + if (agg_new_idx >= members_count)
> + agg_new_idx = default_member;
> new_agg_id = members[agg_new_idx];
>
Overrun may happen when 'max_index()' returns error, '-1', which becomes
'UINT16_MAX' as function returns 'uint16_t'.
And 'max_index()' returns error only if "members_count <= 0", but as far
as I can see 'members_count' can't be "<= 0" anyway.
What do you think to remove check in the 'max_index()', or add a check
in 'selection_logic()' for 'members_count == 0', but not sure what to do
'max_index()'in this case, so updating 'max_index()' is simpler.
More information about the stable
mailing list