diff options
author | Lijian.Zhang <Lijian.Zhang@arm.com> | 2019-05-22 18:33:52 +0800 |
---|---|---|
committer | Florin Coras <florin.coras@gmail.com> | 2019-06-18 14:34:13 +0000 |
commit | b6d61e347a64e2263067c8c44415c3ad4d3cea70 (patch) | |
tree | 3608fbfeef64fb451e57e35e55d73f7dfaf9dad8 /src | |
parent | badf38a2b7559a313fda01811f86a9c25f4c00db (diff) |
session: fix memory out of bound issue
Ring data space is following ring vec_header_t and ring elements immediately.
Add verification code in session_test.
Type: fix
Change-Id: I0bfa096a9f459128a588821d99b5cdb4f10ede38
Signed-off-by: Lijian Zhang <Lijian.Zhang@arm.com>
Reviewed-by: Sirshak Das <Sirshak.Das@arm.com>
Diffstat (limited to 'src')
-rw-r--r-- | src/plugins/unittest/session_test.c | 8 | ||||
-rw-r--r-- | src/svm/message_queue.c | 2 |
2 files changed, 9 insertions, 1 deletions
diff --git a/src/plugins/unittest/session_test.c b/src/plugins/unittest/session_test.c index e54c8a6cd86..0d9da537ef0 100644 --- a/src/plugins/unittest/session_test.c +++ b/src/plugins/unittest/session_test.c @@ -1875,6 +1875,8 @@ session_test_mq_basic (vlib_main_t * vm, unformat_input_t * input) svm_msg_q_msg_t msg1, msg2, msg[12]; int __clib_unused verbose, i, rv; svm_msg_q_t *mq; + svm_msg_q_ring_t *ring; + u8 *rings_ptr; while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT) { @@ -1899,6 +1901,12 @@ session_test_mq_basic (vlib_main_t * vm, unformat_input_t * input) mq = svm_msg_q_alloc (cfg); SESSION_TEST (mq != 0, "svm_msg_q_alloc"); SESSION_TEST (vec_len (mq->rings) == 2, "ring allocation"); + rings_ptr = (u8 *) mq->rings + vec_bytes (mq->rings); + vec_foreach (ring, mq->rings) + { + SESSION_TEST (ring->data == rings_ptr, "ring data"); + rings_ptr += (uword) ring->nitems * ring->elsize; + } msg1 = svm_msg_q_alloc_msg (mq, 8); rv = (mq->rings[0].cursize != 1 diff --git a/src/svm/message_queue.c b/src/svm/message_queue.c index 13d089a97cc..630442064f8 100644 --- a/src/svm/message_queue.c +++ b/src/svm/message_queue.c @@ -72,7 +72,7 @@ svm_msg_q_alloc (svm_msg_q_cfg_t * cfg) vh = (vec_header_t *) ((u8 *) mq->q + q_sz); vh->len = cfg->n_rings; mq->rings = (svm_msg_q_ring_t *) (vh + 1); - rings_ptr = (u8 *) mq->rings + vec_sz; + rings_ptr = (u8 *) mq->rings + sizeof (svm_msg_q_ring_t) * cfg->n_rings; for (i = 0; i < cfg->n_rings; i++) { ring = &mq->rings[i]; |