From ec7012e51edef4aec2239cb5b3a249f46d9b2cb0 Mon Sep 17 00:00:00 2001
From: Steven Luong <sluong@cisco.com>
Date: Thu, 7 May 2020 10:47:33 -0700
Subject: vppinfra: loop counter off by 1 in search_free_list()

In search_free_list(), we have this do while loop.
	do
	  {
	    l--;
	    f_index = h->free_lists[b][l];
	    f = elt_at (h, f_index);
	    f_size = heap_elt_size (v, f);
	    if ((s = f_size - size) >= 0)
	      break;
	  }
	while (l >= 0);

When (l == 0), we still go back up to execute l--. Then l become -1. The
next statement is we index h->free_lists[b][-1]. After that, elt_at() would
probably cause a crash in the ASSERT.

Type: fix
Ticket: VPPSUPP-63

Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: I617d122aa221cfdfe38f8be50f4e0f0e76e11bb5
---
 src/vppinfra/heap.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/vppinfra/heap.c b/src/vppinfra/heap.c
index f7b1f6bb31e..d48136c4c94 100644
--- a/src/vppinfra/heap.c
+++ b/src/vppinfra/heap.c
@@ -306,7 +306,7 @@ search_free_list (void *v, uword size)
 	    if ((s = f_size - size) >= 0)
 	      break;
 	  }
-	while (l >= 0);
+	while (l > 0);
 
 	/* If we fail to find a large enough object, try the next larger size. */
 	if (l < 0)
-- 
cgit 1.2.3-korg