summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJingjing Wu <jingjing.wu@intel.com>2015-02-12 19:22:23 +0800
committerThomas Monjalon <thomas.monjalon@6wind.com>2015-04-01 21:45:10 +0200
commitb9a8b2f80959ac6c415b202d9cb39fa529b167f5 (patch)
tree26edaa6a165ac5ddf94784fddc81bc3ed5b283bb
parentbe2d7a05eb3f2f12eb16f3b43b0b8fa4f62fe655 (diff)
downloaddpdk-b9a8b2f80959ac6c415b202d9cb39fa529b167f5.zip
dpdk-b9a8b2f80959ac6c415b202d9cb39fa529b167f5.tar.gz
dpdk-b9a8b2f80959ac6c415b202d9cb39fa529b167f5.tar.xz
i40e: fix out of bound read
Klocwork reports array 'src_offset' may use index 16. In function i40e_srcoff_to_flx_pit, index j + 1 can reach I40E_FDIR_MAX_FLEX_LEN. This patch fixes this issue to avoid array bound. Test report: http://www.dpdk.org/ml/archives/dev/2015-March/016030.html Fixes: d8b90c4eabe9 ("i40e: take flow director flexible payload configuration") Signed-off-by: Jingjing Wu <jingjing.wu@intel.com> Acked-by: Helin Zhang <helin.zhang@intel.com> Tested-by: Min Cao <min.cao@intel.com>
-rw-r--r--lib/librte_pmd_i40e/i40e_fdir.c35
1 files changed, 17 insertions, 18 deletions
diff --git a/lib/librte_pmd_i40e/i40e_fdir.c b/lib/librte_pmd_i40e/i40e_fdir.c
index 5bb6217..7b68c78 100644
--- a/lib/librte_pmd_i40e/i40e_fdir.c
+++ b/lib/librte_pmd_i40e/i40e_fdir.c
@@ -402,28 +402,27 @@ i40e_srcoff_to_flx_pit(const uint16_t *src_offset,
while (j < I40E_FDIR_MAX_FLEX_LEN) {
size = 1;
- for (; j < I40E_FDIR_MAX_FLEX_LEN; j++) {
+ for (; j < I40E_FDIR_MAX_FLEX_LEN - 1; j++) {
if (src_offset[j + 1] == src_offset[j] + 1)
size++;
- else {
- src_tmp = src_offset[j] + 1 - size;
- /* the flex_pit need to be sort by scr_offset */
- for (i = 0; i < num; i++) {
- if (src_tmp < flex_pit[i].src_offset)
- break;
- }
- /* if insert required, move backward */
- for (k = num; k > i; k--)
- flex_pit[k] = flex_pit[k - 1];
- /* insert */
- flex_pit[i].dst_offset = j + 1 - size;
- flex_pit[i].src_offset = src_tmp;
- flex_pit[i].size = size;
- j++;
- num++;
+ else
+ break;
+ }
+ src_tmp = src_offset[j] + 1 - size;
+ /* the flex_pit need to be sort by src_offset */
+ for (i = 0; i < num; i++) {
+ if (src_tmp < flex_pit[i].src_offset)
break;
- }
}
+ /* if insert required, move backward */
+ for (k = num; k > i; k--)
+ flex_pit[k] = flex_pit[k - 1];
+ /* insert */
+ flex_pit[i].dst_offset = j + 1 - size;
+ flex_pit[i].src_offset = src_tmp;
+ flex_pit[i].size = size;
+ j++;
+ num++;
}
return num;
}