Re: [PATCH 2/3] net/bonding: fix illegal memory accesses

[Ferruh Yigit]

On 10/10/2023 7:23 AM, Chaoyong He wrote:
> From: Long Wu <long...@corigine.com>
> 
> CI found that overrunning array of 32 2-byte elements at
> element index 65535 (byte offset 131071) by dereferencing
> pointer "members + agg_new_idx".
> 
> Coverity issue: 403099
> Fixes: 6d72657ce379 ("net/bonding: add other aggregator modes")
> Cc: danielx.t.mrzyg...@intel.com
> Cc: sta...@dpdk.org
> 
> Signed-off-by: Long Wu <long...@corigine.com>
> Reviewed-by: Chaoyong He <chaoyong...@corigine.com>
> Reviewed-by: Peng Zhang <peng.zh...@corigine.com>
> ---
>  drivers/net/bonding/rte_eth_bond_8023ad.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/drivers/net/bonding/rte_eth_bond_8023ad.c 
> b/drivers/net/bonding/rte_eth_bond_8023ad.c
> index 677067870f..0be33f61e3 100644
> --- a/drivers/net/bonding/rte_eth_bond_8023ad.c
> +++ b/drivers/net/bonding/rte_eth_bond_8023ad.c
> @@ -732,10 +732,14 @@ selection_logic(struct bond_dev_private *internals, 
> uint16_t member_id)
>       switch (internals->mode4.agg_selection) {
>       case AGG_COUNT:
>               agg_new_idx = max_index(agg_count, members_count);
> +             if (agg_new_idx >= members_count)
> +                     agg_new_idx = default_member;
>               new_agg_id = members[agg_new_idx];
>

Overrun may happen when 'max_index()' returns error, '-1', which becomes
'UINT16_MAX' as function returns 'uint16_t'.

And 'max_index()' returns error only if "members_count <= 0", but as far
as I can see 'members_count' can't be "<= 0" anyway.

What do you think to remove check in the 'max_index()', or add a check
in 'selection_logic()' for 'members_count == 0', but not sure what to do
'max_index()'in this case, so updating 'max_index()' is simpler.