mem: fix possible integer overflow

It is possible to get an integer overflow if we try to reserve a memzone
with len = 0 (meaning the maximum contiguous space available) and the
maximum available elem size is less than (MALLOC_ELEM_OVERHEAD + align).

Coverity issue: 107111

Fixes: fafcc11985a2 ("mem: rework memzone to be allocated by malloc")

Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>

diff --git a/lib/librte_eal/common/eal_common_memzone.c b/lib/librte_eal/common/eal_common_memzone.c
index 452679e..5d28341 100644 (file)
--- a/lib/librte_eal/common/eal_common_memzone.c
+++ b/lib/librte_eal/common/eal_common_memzone.c
@@ -119,6 +119,9 @@ find_heap_max_free_elem(int *s, unsigned align)
                }
        }
 
+       if (len < MALLOC_ELEM_OVERHEAD + align)
+               return 0;
+
        return len - MALLOC_ELEM_OVERHEAD - align;
 }
 
@@ -197,8 +200,13 @@ memzone_reserve_aligned_thread_unsafe(const char *name, size_t len,
        if (len == 0) {
                if (bound != 0)
                        requested_len = bound;
-               else
+               else {
                        requested_len = find_heap_max_free_elem(&socket_id, align);
+                       if (requested_len == 0) {
+                               rte_errno = ENOMEM;
+                               return NULL;
+                       }
+               }
        }
 
        if (socket_id == SOCKET_ID_ANY)