From 039f289e516b073f6db67f7b35aa3aa64fdc9c82 Mon Sep 17 00:00:00 2001
From: Jieqiang Wang <jieqiang.wang@arm.com>
Date: Thu, 29 Jul 2021 17:03:16 +0000
Subject: vppinfra: fix potential memory access error in _pool_init_fixed

_pool_init_fixed uses mmap to initialize a fixed-size and preallocated
pool, whose size is the sum of vector_size and free_index_size with
alignment to the CLIB_CACHE_LINE_BYTES and page size. In this way
vector_size equals to pool_header_t + vec_header_t + elt_size * max_elts
so moving to the end of the pool space should be pool_header_t pointer +
vector_size, instead of vec_header_t pointer + vector_size.

Simple code to reproduce this error:

u64 *pool;
pool_init_fixed(pool, 2042);

Improve unit test to cover this case

Type: fix

Signed-off-by: Jieqiang Wang <jieqiang.wang@arm.com>
Reviewed-by: Lijian Zhang <lijian.zhang@arm.com>
Reviewed-by: Tianyu Li <tianyu.li@arm.com>
Change-Id: If088ef89b3dcb2d874ee837ae9da60983b14615c
Signed-off-by: Dave Barach <dave@barachs.net>
---
 src/vppinfra/pool.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/vppinfra/pool.c')

diff --git a/src/vppinfra/pool.c b/src/vppinfra/pool.c
index 78361b5457e..c2f587a93f4 100644
--- a/src/vppinfra/pool.c
+++ b/src/vppinfra/pool.c
@@ -97,7 +97,7 @@ _pool_init_fixed (void **pool_ptr, u32 elt_size, u32 max_elts)
   vh->len = max_elts;
 
   /* Build the free-index vector */
-  vh = (vec_header_t *) (v + vector_size);
+  vh = (vec_header_t *) ((u8 *) fh + vector_size);
   vh->len = max_elts;
   fi = (u32 *) (vh + 1);
 
-- 
cgit 1.2.3-korg