Code Review / vpp.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: badf38a)
session: fix memory out of bound issue 06/20206/2
authorLijian.Zhang <Lijian.Zhang@arm.com>
Wed, 22 May 2019 10:33:52 +0000 (18:33 +0800)
committerFlorin Coras <florin.coras@gmail.com>
Tue, 18 Jun 2019 14:34:13 +0000 (14:34 +0000)
Ring data space is following ring vec_header_t and ring elements immediately.
Add verification code in session_test.

Type: fix

Change-Id: I0bfa096a9f459128a588821d99b5cdb4f10ede38
Signed-off-by: Lijian Zhang <Lijian.Zhang@arm.com>
Reviewed-by: Sirshak Das <Sirshak.Das@arm.com>
src/plugins/unittest/session_test.c patch | blob | history
src/svm/message_queue.c patch | blob | history

diff --git a/src/plugins/unittest/session_test.c b/src/plugins/unittest/session_test.c
index e54c8a6..0d9da53 100644 (file)
--- a/src/plugins/unittest/session_test.c
+++ b/src/plugins/unittest/session_test.c
@@ -1875,6 +1875,8 @@ session_test_mq_basic (vlib_main_t * vm, unformat_input_t * input)
   svm_msg_q_msg_t msg1, msg2, msg[12];
   int __clib_unused verbose, i, rv;
   svm_msg_q_t *mq;
+  svm_msg_q_ring_t *ring;
+  u8 *rings_ptr;
 
   while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
     {
@@ -1899,6 +1901,12 @@ session_test_mq_basic (vlib_main_t * vm, unformat_input_t * input)
   mq = svm_msg_q_alloc (cfg);
   SESSION_TEST (mq != 0, "svm_msg_q_alloc");
   SESSION_TEST (vec_len (mq->rings) == 2, "ring allocation");
+  rings_ptr = (u8 *) mq->rings + vec_bytes (mq->rings);
+  vec_foreach (ring, mq->rings)
+  {
+    SESSION_TEST (ring->data == rings_ptr, "ring data");
+    rings_ptr += (uword) ring->nitems * ring->elsize;
+  }
 
   msg1 = svm_msg_q_alloc_msg (mq, 8);
   rv = (mq->rings[0].cursize != 1
diff --git a/src/svm/message_queue.c b/src/svm/message_queue.c
index 13d089a..6304420 100644 (file)
--- a/src/svm/message_queue.c
+++ b/src/svm/message_queue.c
@@ -72,7 +72,7 @@ svm_msg_q_alloc (svm_msg_q_cfg_t * cfg)
   vh = (vec_header_t *) ((u8 *) mq->q + q_sz);
   vh->len = cfg->n_rings;
   mq->rings = (svm_msg_q_ring_t *) (vh + 1);
-  rings_ptr = (u8 *) mq->rings + vec_sz;
+  rings_ptr = (u8 *) mq->rings + sizeof (svm_msg_q_ring_t) * cfg->n_rings;
   for (i = 0; i < cfg->n_rings; i++)
     {
       ring = &mq->rings[i];
Vector Packet Processing