From b6d61e347a64e2263067c8c44415c3ad4d3cea70 Mon Sep 17 00:00:00 2001 From: "Lijian.Zhang" Date: Wed, 22 May 2019 18:33:52 +0800 Subject: session: fix memory out of bound issue Ring data space is following ring vec_header_t and ring elements immediately. Add verification code in session_test. Type: fix Change-Id: I0bfa096a9f459128a588821d99b5cdb4f10ede38 Signed-off-by: Lijian Zhang Reviewed-by: Sirshak Das --- src/plugins/unittest/session_test.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'src/plugins/unittest/session_test.c') diff --git a/src/plugins/unittest/session_test.c b/src/plugins/unittest/session_test.c index e54c8a6cd86..0d9da537ef0 100644 --- a/src/plugins/unittest/session_test.c +++ b/src/plugins/unittest/session_test.c @@ -1875,6 +1875,8 @@ session_test_mq_basic (vlib_main_t * vm, unformat_input_t * input) svm_msg_q_msg_t msg1, msg2, msg[12]; int __clib_unused verbose, i, rv; svm_msg_q_t *mq; + svm_msg_q_ring_t *ring; + u8 *rings_ptr; while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT) { @@ -1899,6 +1901,12 @@ session_test_mq_basic (vlib_main_t * vm, unformat_input_t * input) mq = svm_msg_q_alloc (cfg); SESSION_TEST (mq != 0, "svm_msg_q_alloc"); SESSION_TEST (vec_len (mq->rings) == 2, "ring allocation"); + rings_ptr = (u8 *) mq->rings + vec_bytes (mq->rings); + vec_foreach (ring, mq->rings) + { + SESSION_TEST (ring->data == rings_ptr, "ring data"); + rings_ptr += (uword) ring->nitems * ring->elsize; + } msg1 = svm_msg_q_alloc_msg (mq, 8); rv = (mq->rings[0].cursize != 1 -- cgit 1.2.3-korg