Re: [dpdk-dev] [PATCH] net/i40e: fix the security risk of wild pointer operation

Thu, 14 May 2020 19:25:24 -0700 

Can any one view for this patch?
Thanks!


> -----Original Message-----
> From: Zhao1, Wei <wei.zh...@intel.com>
> Sent: Tuesday, May 12, 2020 11:19 PM
> To: dev@dpdk.org
> Cc: sta...@dpdk.org; Xing, Beilei <beilei.x...@intel.com>; Zhao1, Wei
> <wei.zh...@intel.com>
> Subject: [PATCH] net/i40e: fix the security risk of wild pointer operation
> 
> In i40e PMD code of function i40e_res_pool_free(), if valid_entry is freed by
> "rte_free(valid_entry);" in the following code:
> 
> if (prev != NULL) {
>  ........................
> 
>    if (insert == 1) {
>      LIST_REMOVE(valid_entry, next);
>      rte_free(valid_entry);
>     } else {
>      rte_free(valid_entry);
>      insert = 1;
>     }
>   }
> 
> then the following code for pool update may still use the wild pointer
> "valid_entry":
> 
> " pool->num_free += valid_entry->len;
>   pool->num_alloc -= valid_entry>len;
> "
> it seems to be a security bug, we should avoid this risk.
> 
> Cc: sta...@dpdk.org
> Fixes: 4861cde46116 ("i40e: new poll mode driver")
> 
> Signed-off-by: Wei Zhao <wei.zh...@intel.com>
> ---
>  drivers/net/i40e/i40e_ethdev.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/net/i40e/i40e_ethdev.c b/drivers/net/i40e/i40e_ethdev.c
> index 749d85f54..7f8ea5309 100644
> --- a/drivers/net/i40e/i40e_ethdev.c
> +++ b/drivers/net/i40e/i40e_ethdev.c
> @@ -4973,6 +4973,9 @@ i40e_res_pool_free(struct i40e_res_pool_info
> *pool,
>       }
> 
>       insert = 0;
> +     pool->num_free += valid_entry->len;
> +     pool->num_alloc -= valid_entry->len;
> +
>       /* Try to merge with next one*/
>       if (next != NULL) {
>               /* Merge with next one */
> @@ -5010,9 +5013,6 @@ i40e_res_pool_free(struct i40e_res_pool_info
> *pool,
>                       LIST_INSERT_HEAD(&pool->free_list, valid_entry, next);
>       }
> 
> -     pool->num_free += valid_entry->len;
> -     pool->num_alloc -= valid_entry->len;
> -
>       return 0;
>  }
> 
> --
> 2.17.1

Reply via email to