[lng-odp] [Bug 2449] New: Packet queue pool causes out-of-bounds accesses

Thu, 28 Jul 2016 10:36:32 -0700 

https://bugs.linaro.org/show_bug.cgi?id=2449

            Bug ID: 2449
           Summary: Packet queue pool causes out-of-bounds accesses
           Product: OpenDataPlane - linux- generic reference
           Version: v1.10.1
          Hardware: Other
                OS: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: ---
         Component: Traffic Manager
          Assignee: [email protected]
          Reporter: [email protected]
                CC: [email protected]
  Target Milestone: ---

This error happened to me while trying to use 2 TMs. With 1 it did not show up.
Maybe I got the code wrong, please correct me if I am missing something.

If it is confirmed, I can provide a patch as suggested at the end.

When an odp_tm_t is created, it creates a queue_pool_t with N packet queues,
where N is the 'max_tm_queues' parameter:

odp_traffic_mngr.c: odp_tm_create():2672

        max_tm_queues = requirements->max_tm_queues;
        ...
        max_num_queues = max_tm_queues;
        ...
        tm_system->_odp_int_queue_pool = _odp_queue_pool_create(
                max_num_queues, max_queued_pkts);

When a queue_pool_t structure is created, it allocates N packet queues:

odp_pkt_queue.c: _odp_queue_pool_create():190

        pool->max_queue_num = max_num_queues;
        pool->max_queued_pkts = max_queued_pkts;
        pool->next_queue_num = 1;

        malloc_len = max_num_queues * sizeof(uint32_t);
        pool->queue_num_tbl = malloc(malloc_len);
        memset(pool->queue_num_tbl, 0, malloc_len);

The 'next_queue_num' field is set to 1, so the packet queue indexes will range
from 1 to N:

odp_pkt_queue.c: _odp_pkt_queue_create():236

        queue_num = pool->next_queue_num++;
        if (pool->max_queue_num < queue_num)
                return _ODP_INT_PKT_QUEUE_INVALID;

        return (_odp_int_pkt_queue_t)queue_num;

However, the 0-based array is accessed, this 1-based index is used:

odp_pkt_queue.c: _odp_pkt_queue_remove():307

        queue_num = (uint32_t)pkt_queue;
        if ((queue_num == 0) || (pool->max_queue_num < queue_num))
                return -2;

        first_blk_idx = pool->queue_num_tbl[queue_num];

This causes an out-of-bounds access for the last index, N. The access to the
malloc'd array should be converted to a 0-based index, eg:

        first_blk_idx = pool->queue_num_tbl[queue_num-1];


Oriol Arcas

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.

Reply via email to