Re: [dpdk-dev] [PATCH] net/i40e: fix out of bounds read issue

Wed, 06 May 2020 22:56:03 -0700 

Hi, xiaolong

> -----Original Message-----
> From: Ye, Xiaolong
> Sent: Thursday, May 7, 2020 1:15 PM
> To: Di, ChenxuX <chenxux...@intel.com>
> Cc: dev@dpdk.org; Xing, Beilei <beilei.x...@intel.com>
> Subject: Re: [dpdk-dev] [PATCH] net/i40e: fix out of bounds read issue
> 
> On 05/07, Chenxu Di wrote:
> >This patch fixes (out-of-bounds read) coverity issue.
> >
> >Coverity issue: 357699
> >Coverity issue: 357694
> >Fixes: feaae285b342 ("net/i40e: support hash configuration in RSS
> >flow")
> >
> >Signed-off-by: Chenxu Di <chenxux...@intel.com>
> >---
> > drivers/net/i40e/i40e_ethdev.c | 4 ++--
> > 1 file changed, 2 insertions(+), 2 deletions(-)
> >
> >diff --git a/drivers/net/i40e/i40e_ethdev.c
> >b/drivers/net/i40e/i40e_ethdev.c index 749d85f54..6c295ac5a 100644
> >--- a/drivers/net/i40e/i40e_ethdev.c
> >+++ b/drivers/net/i40e/i40e_ethdev.c
> >@@ -13180,7 +13180,7 @@ i40e_rss_config_hash_function(struct i40e_pf *pf,
> >             }
> >
> >             for (j = I40E_FILTER_PCTYPE_INVALID + 1;
> >-                 j < I40E_FILTER_PCTYPE_MAX; j++) {
> >+                 j < I40E_FILTER_PCTYPE_MAX && i < UINT64_BIT; j++) {
> 
> I see i is defined as uint32_t, why compare it to UINT64_BIT here?
> And could you specify where is the out of bounds read before the fix?

The UINT64_BIT is the define of 64. And i is just used as the index of 
pctypes_tbl[].
And the code is just copy the function i40e_set_hash_filter_global_config(),
So I don't why he use the define UINT64_BIT as the value 64.

> 
> >                     if (pf->adapter->pctypes_tbl[i] & (1ULL << j))

the out of bounds read is the pctypes_tbl[i]. the above code is that :

                for (i = RTE_ETH_FLOW_UNKNOWN + 1; i < UINT64_BIT; i++) {
                        if (mask0 & (1UL << i))
                                break;
                }
If the loop doesn't break; the value of i will be 64 while the length of 
pctypes_tbl[] is 64.

> >                             i40e_write_global_rx_ctl(hw,
> >                                     I40E_GLQF_HSYM(j),
> >@@ -13312,7 +13312,7 @@ i40e_rss_clear_hash_function(struct i40e_pf *pf,
> >             }
> >
> >             for (j = I40E_FILTER_PCTYPE_INVALID + 1;
> >-                 j < I40E_FILTER_PCTYPE_MAX; j++) {
> >+                 j < I40E_FILTER_PCTYPE_MAX && i < UINT64_BIT; j++) {
> >                     if (pf->adapter->pctypes_tbl[i] & (1ULL << j))
> >                             i40e_write_global_rx_ctl(hw,
> >                                     I40E_GLQF_HSYM(j),
> >--
> >2.17.1
> >

Reply via email to