The condition in rte_power_set_uncore_env() uses '<=' instead of '<'
when comparing the env argument against the size of uncore_env_str[].
Since RTE_DIM(uncore_env_str) equals 4 and valid indices are 0..3,
a caller passing env=4 bypasses the guard and causes an out-of-bounds
read of uncore_env_str[4] at two sites within the same block.
Fix by replacing '<=' with '<', consistent with the correct pattern
already used in rte_power_uncore_init() in the same file.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: ac1edcb6621a ("power: refactor uncore power management API")
Cc: [email protected]
Signed-off-by: Denis Sergeev <[email protected]>
---
lib/power/rte_power_uncore.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/power/rte_power_uncore.c b/lib/power/rte_power_uncore.c
index 25bdb113c5..b50e09a2ad 100644
--- a/lib/power/rte_power_uncore.c
+++ b/lib/power/rte_power_uncore.c
@@ -67,7 +67,7 @@ rte_power_set_uncore_env(enum rte_uncore_power_mgmt_env env)
*/
env = RTE_UNCORE_PM_ENV_INTEL_UNCORE;
- if (env <= RTE_DIM(uncore_env_str)) {
+ if (env < RTE_DIM(uncore_env_str)) {
RTE_TAILQ_FOREACH(ops, &uncore_ops_list, next)
if (strncmp(ops->name, uncore_env_str[env],
RTE_POWER_UNCORE_DRIVER_NAMESZ) == 0) {
--
2.50.1
