From 0af8db317267544e86b271008360d9847973f92c Mon Sep 17 00:00:00 2001 From: Anatoly Burakov Date: Mon, 16 Apr 2018 17:45:00 +0100 Subject: [PATCH] malloc: fix out-of-bounds segment array access Technically, while the pointer would've been invalid if msl_idx were invalid, we wouldn't have actually attempted to access the pointer until verifying the index. Fix it by moving array access to after we've verified validity of the index. Coverity issue: 272574 Fixes: 66cc45e293ed ("mem: replace memseg with memseg lists") Signed-off-by: Anatoly Burakov Acked-by: Harry van Haaren --- lib/librte_eal/common/malloc_heap.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/librte_eal/common/malloc_heap.c b/lib/librte_eal/common/malloc_heap.c index 590e9e34be..5cf7231022 100644 --- a/lib/librte_eal/common/malloc_heap.c +++ b/lib/librte_eal/common/malloc_heap.c @@ -99,11 +99,12 @@ malloc_add_seg(const struct rte_memseg_list *msl, /* msl is const, so find it */ msl_idx = msl - mcfg->memsegs; - found_msl = &mcfg->memsegs[msl_idx]; if (msl_idx < 0 || msl_idx >= RTE_MAX_MEMSEG_LISTS) return -1; + found_msl = &mcfg->memsegs[msl_idx]; + malloc_heap_add_memory(heap, found_msl, ms->addr, len); RTE_LOG(DEBUG, EAL, "Added %zuM to heap on socket %i\n", len >> 20, -- 2.20.1