From d4ee3c61c06ceea054d269a44540e0db054a6db0 Mon Sep 17 00:00:00 2001 From: Sergio Gonzalez Monroy Date: Tue, 14 Jun 2016 19:07:18 +0100 Subject: [PATCH] mem: fix possible integer overflow It is possible to get an integer overflow if we try to reserve a memzone with len = 0 (meaning the maximum contiguous space available) and the maximum available elem size is less than (MALLOC_ELEM_OVERHEAD + align). Coverity issue: 107111 Fixes: fafcc11985a2 ("mem: rework memzone to be allocated by malloc") Signed-off-by: Sergio Gonzalez Monroy --- lib/librte_eal/common/eal_common_memzone.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/lib/librte_eal/common/eal_common_memzone.c b/lib/librte_eal/common/eal_common_memzone.c index 452679ef9e..5d28341f7e 100644 --- a/lib/librte_eal/common/eal_common_memzone.c +++ b/lib/librte_eal/common/eal_common_memzone.c @@ -119,6 +119,9 @@ find_heap_max_free_elem(int *s, unsigned align) } } + if (len < MALLOC_ELEM_OVERHEAD + align) + return 0; + return len - MALLOC_ELEM_OVERHEAD - align; } @@ -197,8 +200,13 @@ memzone_reserve_aligned_thread_unsafe(const char *name, size_t len, if (len == 0) { if (bound != 0) requested_len = bound; - else + else { requested_len = find_heap_max_free_elem(&socket_id, align); + if (requested_len == 0) { + rte_errno = ENOMEM; + return NULL; + } + } } if (socket_id == SOCKET_ID_ANY) -- 2.20.1