From be420e59e9590cc7ba5b4ec5a4ab4e252387bd24 Mon Sep 17 00:00:00 2001 From: Koichiro Den Date: Sat, 15 Dec 2018 00:31:34 +0900 Subject: libmemif: fix possible segfault on memif_get_details insufficient buflen does not mean immediate return but fallthrough by design so assigning values to these array elements should just be skipped in that case. Change-Id: Iaa9718db073108e44a9b05e1c8ffb0725147ff1f Signed-off-by: Koichiro Den --- extras/libmemif/src/main.c | 59 ++++++++++++++++++++++------------------------ 1 file changed, 28 insertions(+), 31 deletions(-) (limited to 'extras/libmemif') diff --git a/extras/libmemif/src/main.c b/extras/libmemif/src/main.c index c6a62bb2ddc..ab7a2f04c14 100644 --- a/extras/libmemif/src/main.c +++ b/extras/libmemif/src/main.c @@ -2074,20 +2074,19 @@ memif_get_details (memif_conn_handle_t conn, memif_details_t * md, if (l0 + l1 <= buflen) { md->regions = (memif_region_details_t *) buf + l0; + for (i = 0; i < md->regions_num; i++) + { + md->regions[i].index = i; + md->regions[i].addr = c->regions[i].addr; + md->regions[i].size = c->regions[i].region_size; + md->regions[i].fd = c->regions[i].fd; + md->regions[i].is_external = c->regions[i].is_external; + } l0 += l1; } else err = MEMIF_ERR_NOBUF_DET; - for (i = 0; i < md->regions_num; i++) - { - md->regions[i].index = i; - md->regions[i].addr = c->regions[i].addr; - md->regions[i].size = c->regions[i].region_size; - md->regions[i].fd = c->regions[i].fd; - md->regions[i].is_external = c->regions[i].is_external; - } - md->rx_queues_num = (c->args.is_master) ? c->run_args.num_s2m_rings : c-> run_args.num_m2s_rings; @@ -2096,22 +2095,21 @@ memif_get_details (memif_conn_handle_t conn, memif_details_t * md, if (l0 + l1 <= buflen) { md->rx_queues = (memif_queue_details_t *) buf + l0; + for (i = 0; i < md->rx_queues_num; i++) + { + md->rx_queues[i].region = c->rx_queues[i].region; + md->rx_queues[i].qid = i; + md->rx_queues[i].ring_size = (1 << c->rx_queues[i].log2_ring_size); + md->rx_queues[i].flags = c->rx_queues[i].ring->flags; + md->rx_queues[i].head = c->rx_queues[i].ring->head; + md->rx_queues[i].tail = c->rx_queues[i].ring->tail; + md->rx_queues[i].buffer_size = c->run_args.buffer_size; + } l0 += l1; } else err = MEMIF_ERR_NOBUF_DET; - for (i = 0; i < md->rx_queues_num; i++) - { - md->rx_queues[i].region = c->rx_queues[i].region; - md->rx_queues[i].qid = i; - md->rx_queues[i].ring_size = (1 << c->rx_queues[i].log2_ring_size); - md->rx_queues[i].flags = c->rx_queues[i].ring->flags; - md->rx_queues[i].head = c->rx_queues[i].ring->head; - md->rx_queues[i].tail = c->rx_queues[i].ring->tail; - md->rx_queues[i].buffer_size = c->run_args.buffer_size; - } - md->tx_queues_num = (c->args.is_master) ? c->run_args.num_m2s_rings : c-> run_args.num_s2m_rings; @@ -2120,22 +2118,21 @@ memif_get_details (memif_conn_handle_t conn, memif_details_t * md, if (l0 + l1 <= buflen) { md->tx_queues = (memif_queue_details_t *) buf + l0; + for (i = 0; i < md->tx_queues_num; i++) + { + md->tx_queues[i].region = c->tx_queues[i].region; + md->tx_queues[i].qid = i; + md->tx_queues[i].ring_size = (1 << c->tx_queues[i].log2_ring_size); + md->tx_queues[i].flags = c->tx_queues[i].ring->flags; + md->tx_queues[i].head = c->tx_queues[i].ring->head; + md->tx_queues[i].tail = c->tx_queues[i].ring->tail; + md->tx_queues[i].buffer_size = c->run_args.buffer_size; + } l0 += l1; } else err = MEMIF_ERR_NOBUF_DET; - for (i = 0; i < md->tx_queues_num; i++) - { - md->tx_queues[i].region = c->tx_queues[i].region; - md->tx_queues[i].qid = i; - md->tx_queues[i].ring_size = (1 << c->tx_queues[i].log2_ring_size); - md->tx_queues[i].flags = c->tx_queues[i].ring->flags; - md->tx_queues[i].head = c->tx_queues[i].ring->head; - md->tx_queues[i].tail = c->tx_queues[i].ring->tail; - md->tx_queues[i].buffer_size = c->run_args.buffer_size; - } - md->link_up_down = (c->fd > 0) ? 1 : 0; return err; /* 0 */ -- cgit 1.2.3-korg