[dpdk-dev,5/5] malloc: fix potential negative return
Checks
Commit Message
Return value from rte_socket_id_by_idx() may be negative, which would
result in negative index access.
Additionally, return value was of mismatched type (function returns
signed int, socket id was unsigned).
Coverity issue: 272571
Coverity issue: 272597
Fixes: 30bc6bf0d516 ("malloc: add function to dump heap contents")
Cc: anatoly.burakov@intel.com
Signed-off-by: Anatoly Burakov <anatoly.burakov@intel.com>
---
lib/librte_eal/common/rte_malloc.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
Comments
On 4/17/2018 11:48 PM, Anatoly Burakov wrote:
> Return value from rte_socket_id_by_idx() may be negative, which would
> result in negative index access.
>
> Additionally, return value was of mismatched type (function returns
> signed int, socket id was unsigned).
>
> Coverity issue: 272571
> Coverity issue: 272597
>
> Fixes: 30bc6bf0d516 ("malloc: add function to dump heap contents")
> Cc: anatoly.burakov@intel.com
>
> Signed-off-by: Anatoly Burakov <anatoly.burakov@intel.com>
> ---
> lib/librte_eal/common/rte_malloc.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/lib/librte_eal/common/rte_malloc.c b/lib/librte_eal/common/rte_malloc.c
> index b51a6d1..f207ba2 100644
> --- a/lib/librte_eal/common/rte_malloc.c
> +++ b/lib/librte_eal/common/rte_malloc.c
> @@ -169,7 +169,11 @@ rte_malloc_dump_heaps(FILE *f)
> unsigned int idx;
>
> for (idx = 0; idx < rte_socket_count(); idx++) {
> - unsigned int socket = rte_socket_id_by_idx(idx);
> + int socket = rte_socket_id_by_idx(idx);
> + if (socket < 0) {
> + RTE_LOG(ERR, EAL, "Invalid socket index: %u\n", idx);
> + continue;
> + }
For such check (and many others), we are clear that idx is guaranteed by
rte_socket_count(), so rte_socket_id_by_idx() can never return -1. So
why not just reporting this as false-positive?
Thanks,
Jianfeng
> fprintf(f, "Heap on socket %i:\n", socket);
> malloc_heap_dump(&mcfg->malloc_heaps[socket], f);
> }
On 25-Apr-18 9:24 AM, Tan, Jianfeng wrote:
>
>
> On 4/17/2018 11:48 PM, Anatoly Burakov wrote:
>> Return value from rte_socket_id_by_idx() may be negative, which would
>> result in negative index access.
>>
>> Additionally, return value was of mismatched type (function returns
>> signed int, socket id was unsigned).
>>
>> Coverity issue: 272571
>> Coverity issue: 272597
>>
>> Fixes: 30bc6bf0d516 ("malloc: add function to dump heap contents")
>> Cc: anatoly.burakov@intel.com
>>
>> Signed-off-by: Anatoly Burakov <anatoly.burakov@intel.com>
>> ---
>> lib/librte_eal/common/rte_malloc.c | 6 +++++-
>> 1 file changed, 5 insertions(+), 1 deletion(-)
>>
>> diff --git a/lib/librte_eal/common/rte_malloc.c
>> b/lib/librte_eal/common/rte_malloc.c
>> index b51a6d1..f207ba2 100644
>> --- a/lib/librte_eal/common/rte_malloc.c
>> +++ b/lib/librte_eal/common/rte_malloc.c
>> @@ -169,7 +169,11 @@ rte_malloc_dump_heaps(FILE *f)
>> unsigned int idx;
>> for (idx = 0; idx < rte_socket_count(); idx++) {
>> - unsigned int socket = rte_socket_id_by_idx(idx);
>> + int socket = rte_socket_id_by_idx(idx);
>> + if (socket < 0) {
>> + RTE_LOG(ERR, EAL, "Invalid socket index: %u\n", idx);
>> + continue;
>> + }
>
> For such check (and many others), we are clear that idx is guaranteed by
> rte_socket_count(), so rte_socket_id_by_idx() can never return -1. So
> why not just reporting this as false-positive?
Well, technically, if someone were to corrupt rte_config, it would
introduce a possibility of a negative return. However, i guess, at that
point we've got bigger problems, so perhaps you're right and i should
drop these fixes.
>
> Thanks,
> Jianfeng
>
>> fprintf(f, "Heap on socket %i:\n", socket);
>> malloc_heap_dump(&mcfg->malloc_heaps[socket], f);
>> }
>
>
@@ -169,7 +169,11 @@ rte_malloc_dump_heaps(FILE *f)
unsigned int idx;
for (idx = 0; idx < rte_socket_count(); idx++) {
- unsigned int socket = rte_socket_id_by_idx(idx);
+ int socket = rte_socket_id_by_idx(idx);
+ if (socket < 0) {
+ RTE_LOG(ERR, EAL, "Invalid socket index: %u\n", idx);
+ continue;
+ }
fprintf(f, "Heap on socket %i:\n", socket);
malloc_heap_dump(&mcfg->malloc_heaps[socket], f);
}