vppinfra: fix potential memory access error in _pool_init_fixed

_pool_init_fixed uses mmap to initialize a fixed-size and preallocated
pool, whose size is the sum of vector_size and free_index_size with
alignment to the CLIB_CACHE_LINE_BYTES and page size. In this way
vector_size equals to pool_header_t + vec_header_t + elt_size * max_elts
so moving to the end of the pool space should be pool_header_t pointer +
vector_size, instead of vec_header_t pointer + vector_size.

Simple code to reproduce this error:

u64 *pool;
pool_init_fixed(pool, 2042);

Improve unit test to cover this case

Type: fix

Signed-off-by: Jieqiang Wang <jieqiang.wang@arm.com>
Reviewed-by: Lijian Zhang <lijian.zhang@arm.com>
Reviewed-by: Tianyu Li <tianyu.li@arm.com>
Change-Id: If088ef89b3dcb2d874ee837ae9da60983b14615c
Signed-off-by: Dave Barach <dave@barachs.net>

diff --git a/src/plugins/unittest/pool_test.c b/src/plugins/unittest/pool_test.c
index 237b6be..23ac6d6 100644 (file)
--- a/src/plugins/unittest/pool_test.c
+++ b/src/plugins/unittest/pool_test.c
@@ -19,29 +19,37 @@ static clib_error_t *
 test_pool_command_fn (vlib_main_t *vm, unformat_input_t *input,
                      vlib_cli_command_t *cmd)
 {
-  int i;
+  static int sizes[] = { 3, 31, 2042, 2048 };
+
+  int i, j;
   u64 *pool;
+  uword this_size;
 
-  pool_init_fixed (pool, 2048);
+  for (j = 0; j < ARRAY_LEN (sizes); j++)
+    {
+      this_size = sizes[j];
 
-  i = 0;
+      pool_init_fixed (pool, this_size);
 
-  while (pool_free_elts (pool) > 0)
-    {
-      u64 *p __attribute__ ((unused));
+      i = 0;
 
-      pool_get (pool, p);
-      i++;
-    }
+      while (pool_free_elts (pool) > 0)
+       {
+         u64 *p __attribute__ ((unused));
 
-  vlib_cli_output (vm, "allocated %d elts\n", i);
+         pool_get (pool, p);
+         i++;
+       }
 
-  for (--i; i >= 0; i--)
-    {
-      pool_put_index (pool, i);
-    }
+      vlib_cli_output (vm, "allocated %d elts\n", i);
 
-  ALWAYS_ASSERT (pool_free_elts (pool) == 2048);
+      for (--i; i >= 0; i--)
+       {
+         pool_put_index (pool, i);
+       }
+
+      ALWAYS_ASSERT (pool_free_elts (pool) == this_size);
+    }
 
   vlib_cli_output (vm, "Test succeeded...\n");
   return 0;

diff --git a/src/vppinfra/pool.c b/src/vppinfra/pool.c
index 78361b5..c2f587a 100644 (file)
--- a/src/vppinfra/pool.c
+++ b/src/vppinfra/pool.c
@@ -97,7 +97,7 @@ _pool_init_fixed (void **pool_ptr, u32 elt_size, u32 max_elts)
   vh->len = max_elts;
 
   /* Build the free-index vector */
-  vh = (vec_header_t *) (v + vector_size);
+  vh = (vec_header_t *) ((u8 *) fh + vector_size);
   vh->len = max_elts;
   fi = (u32 *) (vh + 1);