libmemif: fix possible segfault on memif_get_details

insufficient buflen does not mean immediate return but
fallthrough by design so assigning values to these
array elements should just be skipped in that case.

Change-Id: Iaa9718db073108e44a9b05e1c8ffb0725147ff1f
Signed-off-by: Koichiro Den <den@klaipeden.com>

diff --git a/extras/libmemif/src/main.c b/extras/libmemif/src/main.c
index c6a62bb..ab7a2f0 100644 (file)
--- a/extras/libmemif/src/main.c
+++ b/extras/libmemif/src/main.c
@@ -2074,20 +2074,19 @@ memif_get_details (memif_conn_handle_t conn, memif_details_t * md,
   if (l0 + l1 <= buflen)
     {
       md->regions = (memif_region_details_t *) buf + l0;
+      for (i = 0; i < md->regions_num; i++)
+        {
+          md->regions[i].index = i;
+          md->regions[i].addr = c->regions[i].addr;
+          md->regions[i].size = c->regions[i].region_size;
+          md->regions[i].fd = c->regions[i].fd;
+          md->regions[i].is_external = c->regions[i].is_external;
+        }
       l0 += l1;
     }
   else
     err = MEMIF_ERR_NOBUF_DET;
 
-  for (i = 0; i < md->regions_num; i++)
-    {
-      md->regions[i].index = i;
-      md->regions[i].addr = c->regions[i].addr;
-      md->regions[i].size = c->regions[i].region_size;
-      md->regions[i].fd = c->regions[i].fd;
-      md->regions[i].is_external = c->regions[i].is_external;
-    }
-
   md->rx_queues_num =
     (c->args.is_master) ? c->run_args.num_s2m_rings : c->
     run_args.num_m2s_rings;
@@ -2096,22 +2095,21 @@ memif_get_details (memif_conn_handle_t conn, memif_details_t * md,
   if (l0 + l1 <= buflen)
     {
       md->rx_queues = (memif_queue_details_t *) buf + l0;
+      for (i = 0; i < md->rx_queues_num; i++)
+        {
+          md->rx_queues[i].region = c->rx_queues[i].region;
+          md->rx_queues[i].qid = i;
+          md->rx_queues[i].ring_size = (1 << c->rx_queues[i].log2_ring_size);
+          md->rx_queues[i].flags = c->rx_queues[i].ring->flags;
+          md->rx_queues[i].head = c->rx_queues[i].ring->head;
+          md->rx_queues[i].tail = c->rx_queues[i].ring->tail;
+          md->rx_queues[i].buffer_size = c->run_args.buffer_size;
+        }
       l0 += l1;
     }
   else
     err = MEMIF_ERR_NOBUF_DET;
 
-  for (i = 0; i < md->rx_queues_num; i++)
-    {
-      md->rx_queues[i].region = c->rx_queues[i].region;
-      md->rx_queues[i].qid = i;
-      md->rx_queues[i].ring_size = (1 << c->rx_queues[i].log2_ring_size);
-      md->rx_queues[i].flags = c->rx_queues[i].ring->flags;
-      md->rx_queues[i].head = c->rx_queues[i].ring->head;
-      md->rx_queues[i].tail = c->rx_queues[i].ring->tail;
-      md->rx_queues[i].buffer_size = c->run_args.buffer_size;
-    }
-
   md->tx_queues_num =
     (c->args.is_master) ? c->run_args.num_m2s_rings : c->
     run_args.num_s2m_rings;
@@ -2120,22 +2118,21 @@ memif_get_details (memif_conn_handle_t conn, memif_details_t * md,
   if (l0 + l1 <= buflen)
     {
       md->tx_queues = (memif_queue_details_t *) buf + l0;
+      for (i = 0; i < md->tx_queues_num; i++)
+        {
+          md->tx_queues[i].region = c->tx_queues[i].region;
+          md->tx_queues[i].qid = i;
+          md->tx_queues[i].ring_size = (1 << c->tx_queues[i].log2_ring_size);
+          md->tx_queues[i].flags = c->tx_queues[i].ring->flags;
+          md->tx_queues[i].head = c->tx_queues[i].ring->head;
+          md->tx_queues[i].tail = c->tx_queues[i].ring->tail;
+          md->tx_queues[i].buffer_size = c->run_args.buffer_size;
+        }
       l0 += l1;
     }
   else
     err = MEMIF_ERR_NOBUF_DET;
 
-  for (i = 0; i < md->tx_queues_num; i++)
-    {
-      md->tx_queues[i].region = c->tx_queues[i].region;
-      md->tx_queues[i].qid = i;
-      md->tx_queues[i].ring_size = (1 << c->tx_queues[i].log2_ring_size);
-      md->tx_queues[i].flags = c->tx_queues[i].ring->flags;
-      md->tx_queues[i].head = c->tx_queues[i].ring->head;
-      md->tx_queues[i].tail = c->tx_queues[i].ring->tail;
-      md->tx_queues[i].buffer_size = c->run_args.buffer_size;
-    }
-
   md->link_up_down = (c->fd > 0) ? 1 : 0;
 
   return err;                  /* 0 */