From: Lijian.Zhang <Lijian.Zhang@arm.com>
Date: Wed, 22 May 2019 10:33:52 +0000 (+0800)
Subject: session: fix memory out of bound issue
X-Git-Tag: v20.01-rc0~384
X-Git-Url: https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commitdiff_plain;h=b6d61e347a64e2263067c8c44415c3ad4d3cea70

session: fix memory out of bound issue

Ring data space is following ring vec_header_t and ring elements immediately.
Add verification code in session_test.

Type: fix

Change-Id: I0bfa096a9f459128a588821d99b5cdb4f10ede38
Signed-off-by: Lijian Zhang <Lijian.Zhang@arm.com>
Reviewed-by: Sirshak Das <Sirshak.Das@arm.com>
---

diff --git a/src/plugins/unittest/session_test.c b/src/plugins/unittest/session_test.c
index e54c8a6cd86..0d9da537ef0 100644
--- a/src/plugins/unittest/session_test.c
+++ b/src/plugins/unittest/session_test.c
@@ -1875,6 +1875,8 @@ session_test_mq_basic (vlib_main_t * vm, unformat_input_t * input)
   svm_msg_q_msg_t msg1, msg2, msg[12];
   int __clib_unused verbose, i, rv;
   svm_msg_q_t *mq;
+  svm_msg_q_ring_t *ring;
+  u8 *rings_ptr;
 
   while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
     {
@@ -1899,6 +1901,12 @@ session_test_mq_basic (vlib_main_t * vm, unformat_input_t * input)
   mq = svm_msg_q_alloc (cfg);
   SESSION_TEST (mq != 0, "svm_msg_q_alloc");
   SESSION_TEST (vec_len (mq->rings) == 2, "ring allocation");
+  rings_ptr = (u8 *) mq->rings + vec_bytes (mq->rings);
+  vec_foreach (ring, mq->rings)
+  {
+    SESSION_TEST (ring->data == rings_ptr, "ring data");
+    rings_ptr += (uword) ring->nitems * ring->elsize;
+  }
 
   msg1 = svm_msg_q_alloc_msg (mq, 8);
   rv = (mq->rings[0].cursize != 1
diff --git a/src/svm/message_queue.c b/src/svm/message_queue.c
index 13d089a97cc..630442064f8 100644
--- a/src/svm/message_queue.c
+++ b/src/svm/message_queue.c
@@ -72,7 +72,7 @@ svm_msg_q_alloc (svm_msg_q_cfg_t * cfg)
   vh = (vec_header_t *) ((u8 *) mq->q + q_sz);
   vh->len = cfg->n_rings;
   mq->rings = (svm_msg_q_ring_t *) (vh + 1);
-  rings_ptr = (u8 *) mq->rings + vec_sz;
+  rings_ptr = (u8 *) mq->rings + sizeof (svm_msg_q_ring_t) * cfg->n_rings;
   for (i = 0; i < cfg->n_rings; i++)
     {
       ring = &mq->rings[i];