i40e: fix out of bound read

Klocwork reports array 'src_offset' may use index 16.
In function i40e_srcoff_to_flx_pit, index j + 1 can reach I40E_FDIR_MAX_FLEX_LEN.
This patch fixes this issue to avoid array bound.

Test report: http://www.dpdk.org/ml/archives/dev/2015-March/016030.html

Fixes: d8b90c4eabe9 ("i40e: take flow director flexible payload configuration")

Signed-off-by: Jingjing Wu <jingjing.wu@intel.com>
Acked-by: Helin Zhang <helin.zhang@intel.com>
Tested-by: Min Cao <min.cao@intel.com>

diff --git a/lib/librte_pmd_i40e/i40e_fdir.c b/lib/librte_pmd_i40e/i40e_fdir.c
index 5bb6217..7b68c78 100644 (file)
--- a/lib/librte_pmd_i40e/i40e_fdir.c
+++ b/lib/librte_pmd_i40e/i40e_fdir.c
@@ -402,28 +402,27 @@ i40e_srcoff_to_flx_pit(const uint16_t *src_offset,
 
        while (j < I40E_FDIR_MAX_FLEX_LEN) {
                size = 1;
-               for (; j < I40E_FDIR_MAX_FLEX_LEN; j++) {
+               for (; j < I40E_FDIR_MAX_FLEX_LEN - 1; j++) {
                        if (src_offset[j + 1] == src_offset[j] + 1)
                                size++;
-                       else {
-                               src_tmp = src_offset[j] + 1 - size;
-                               /* the flex_pit need to be sort by scr_offset */
-                               for (i = 0; i < num; i++) {
-                                       if (src_tmp < flex_pit[i].src_offset)
-                                               break;
-                               }
-                               /* if insert required, move backward */
-                               for (k = num; k > i; k--)
-                                       flex_pit[k] = flex_pit[k - 1];
-                               /* insert */
-                               flex_pit[i].dst_offset = j + 1 - size;
-                               flex_pit[i].src_offset = src_tmp;
-                               flex_pit[i].size = size;
-                               j++;
-                               num++;
+                       else
+                               break;
+               }
+               src_tmp = src_offset[j] + 1 - size;
+               /* the flex_pit need to be sort by src_offset */
+               for (i = 0; i < num; i++) {
+                       if (src_tmp < flex_pit[i].src_offset)
                                break;
-                       }
                }
+               /* if insert required, move backward */
+               for (k = num; k > i; k--)
+                       flex_pit[k] = flex_pit[k - 1];
+               /* insert */
+               flex_pit[i].dst_offset = j + 1 - size;
+               flex_pit[i].src_offset = src_tmp;
+               flex_pit[i].size = size;
+               j++;
+               num++;
        }
        return num;
 }