From b9a8b2f80959ac6c415b202d9cb39fa529b167f5 Mon Sep 17 00:00:00 2001 From: Jingjing Wu Date: Thu, 12 Feb 2015 19:22:23 +0800 Subject: [PATCH] i40e: fix out of bound read Klocwork reports array 'src_offset' may use index 16. In function i40e_srcoff_to_flx_pit, index j + 1 can reach I40E_FDIR_MAX_FLEX_LEN. This patch fixes this issue to avoid array bound. Test report: http://www.dpdk.org/ml/archives/dev/2015-March/016030.html Fixes: d8b90c4eabe9 ("i40e: take flow director flexible payload configuration") Signed-off-by: Jingjing Wu Acked-by: Helin Zhang Tested-by: Min Cao --- lib/librte_pmd_i40e/i40e_fdir.c | 35 ++++++++++++++++----------------- 1 file changed, 17 insertions(+), 18 deletions(-) diff --git a/lib/librte_pmd_i40e/i40e_fdir.c b/lib/librte_pmd_i40e/i40e_fdir.c index 5bb621761f..7b68c78451 100644 --- a/lib/librte_pmd_i40e/i40e_fdir.c +++ b/lib/librte_pmd_i40e/i40e_fdir.c @@ -402,28 +402,27 @@ i40e_srcoff_to_flx_pit(const uint16_t *src_offset, while (j < I40E_FDIR_MAX_FLEX_LEN) { size = 1; - for (; j < I40E_FDIR_MAX_FLEX_LEN; j++) { + for (; j < I40E_FDIR_MAX_FLEX_LEN - 1; j++) { if (src_offset[j + 1] == src_offset[j] + 1) size++; - else { - src_tmp = src_offset[j] + 1 - size; - /* the flex_pit need to be sort by scr_offset */ - for (i = 0; i < num; i++) { - if (src_tmp < flex_pit[i].src_offset) - break; - } - /* if insert required, move backward */ - for (k = num; k > i; k--) - flex_pit[k] = flex_pit[k - 1]; - /* insert */ - flex_pit[i].dst_offset = j + 1 - size; - flex_pit[i].src_offset = src_tmp; - flex_pit[i].size = size; - j++; - num++; + else + break; + } + src_tmp = src_offset[j] + 1 - size; + /* the flex_pit need to be sort by src_offset */ + for (i = 0; i < num; i++) { + if (src_tmp < flex_pit[i].src_offset) break; - } } + /* if insert required, move backward */ + for (k = num; k > i; k--) + flex_pit[k] = flex_pit[k - 1]; + /* insert */ + flex_pit[i].dst_offset = j + 1 - size; + flex_pit[i].src_offset = src_tmp; + flex_pit[i].size = size; + j++; + num++; } return num; } -- 2.20.1