HI
I am using DPDK 19.11 version. Following are my findings
struct rte_ip_frag_death_row {
uint32_t cnt; /**< number of mbufs currently on death row */
struct rte_mbuf *row[IP_FRAG_DEATH_ROW_MBUF_LEN];
/**< mbufs to be freed */
};
#define IP_FRAG_MBUF2DR(dr, mb) ((dr)->row[(dr)->cnt++] = (mb))
When calling IP_FRAG_MBUF2DR, there is no check for cnt <
IP_FRAG_DEATH_ROW_MBUF_LEN.
So whenever (cnt >= IP_FRAG_DEATH_ROW_MBUF_LEN) happens IP_FRAG_MBUF2DR will
corrupt memory due to array-bound overflow.
Late arrival or non-arrival of all fragments of packets - any of these common
scenarios can cause the corruption!!
Is this a known issue?
Thanks
Purnima
