From b6d61e347a64e2263067c8c44415c3ad4d3cea70 Mon Sep 17 00:00:00 2001 From: "Lijian.Zhang" Date: Wed, 22 May 2019 18:33:52 +0800 Subject: session: fix memory out of bound issue Ring data space is following ring vec_header_t and ring elements immediately. Add verification code in session_test. Type: fix Change-Id: I0bfa096a9f459128a588821d99b5cdb4f10ede38 Signed-off-by: Lijian Zhang Reviewed-by: Sirshak Das --- src/plugins/unittest/session_test.c | 8 ++++++++ src/svm/message_queue.c | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/plugins/unittest/session_test.c b/src/plugins/unittest/session_test.c index e54c8a6cd86..0d9da537ef0 100644 --- a/src/plugins/unittest/session_test.c +++ b/src/plugins/unittest/session_test.c @@ -1875,6 +1875,8 @@ session_test_mq_basic (vlib_main_t * vm, unformat_input_t * input) svm_msg_q_msg_t msg1, msg2, msg[12]; int __clib_unused verbose, i, rv; svm_msg_q_t *mq; + svm_msg_q_ring_t *ring; + u8 *rings_ptr; while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT) { @@ -1899,6 +1901,12 @@ session_test_mq_basic (vlib_main_t * vm, unformat_input_t * input) mq = svm_msg_q_alloc (cfg); SESSION_TEST (mq != 0, "svm_msg_q_alloc"); SESSION_TEST (vec_len (mq->rings) == 2, "ring allocation"); + rings_ptr = (u8 *) mq->rings + vec_bytes (mq->rings); + vec_foreach (ring, mq->rings) + { + SESSION_TEST (ring->data == rings_ptr, "ring data"); + rings_ptr += (uword) ring->nitems * ring->elsize; + } msg1 = svm_msg_q_alloc_msg (mq, 8); rv = (mq->rings[0].cursize != 1 diff --git a/src/svm/message_queue.c b/src/svm/message_queue.c index 13d089a97cc..630442064f8 100644 --- a/src/svm/message_queue.c +++ b/src/svm/message_queue.c @@ -72,7 +72,7 @@ svm_msg_q_alloc (svm_msg_q_cfg_t * cfg) vh = (vec_header_t *) ((u8 *) mq->q + q_sz); vh->len = cfg->n_rings; mq->rings = (svm_msg_q_ring_t *) (vh + 1); - rings_ptr = (u8 *) mq->rings + vec_sz; + rings_ptr = (u8 *) mq->rings + sizeof (svm_msg_q_ring_t) * cfg->n_rings; for (i = 0; i < cfg->n_rings; i++) { ring = &mq->rings[i]; -- cgit 1.2.3-korg