vppinfra: fix potential memory access error in _pool_init_fixed
_pool_init_fixed uses mmap to initialize a fixed-size and preallocated pool, whose size is the sum of vector_size and free_index_size with alignment to the CLIB_CACHE_LINE_BYTES and page size. In this way vector_size equals to pool_header_t + vec_header_t + elt_size * max_elts so moving to the end of the pool space should be pool_header_t pointer + vector_size, instead of vec_header_t pointer + vector_size. Simple code to reproduce this error: u64 *pool; pool_init_fixed(pool, 2042); Improve unit test to cover this case Type: fix Signed-off-by: Jieqiang Wang <jieqiang.wang@arm.com> Reviewed-by: Lijian Zhang <lijian.zhang@arm.com> Reviewed-by: Tianyu Li <tianyu.li@arm.com> Change-Id: If088ef89b3dcb2d874ee837ae9da60983b14615c Signed-off-by: Dave Barach <dave@barachs.net>
This commit is contained in:
Jieqiang Wang
committed by
Dave Barach
Dave Barach
parent
2c0dc3e586
commit
039f289e51
@@ -19,30 +19,38 @@ static clib_error_t *
|
||||
test_pool_command_fn (vlib_main_t *vm, unformat_input_t *input,
|
||||
vlib_cli_command_t *cmd)
|
||||
{
|
||||
int i;
|
||||
static int sizes[] = { 3, 31, 2042, 2048 };
|
||||
|
||||
int i, j;
|
||||
u64 *pool;
|
||||
uword this_size;
|
||||
|
||||
pool_init_fixed (pool, 2048);
|
||||
|
||||
i = 0;
|
||||
|
||||
while (pool_free_elts (pool) > 0)
|
||||
for (j = 0; j < ARRAY_LEN (sizes); j++)
|
||||
{
|
||||
u64 *p __attribute__ ((unused));
|
||||
this_size = sizes[j];
|
||||
|
||||
pool_get (pool, p);
|
||||
i++;
|
||||
pool_init_fixed (pool, this_size);
|
||||
|
||||
i = 0;
|
||||
|
||||
while (pool_free_elts (pool) > 0)
|
||||
{
|
||||
u64 *p __attribute__ ((unused));
|
||||
|
||||
pool_get (pool, p);
|
||||
i++;
|
||||
}
|
||||
|
||||
vlib_cli_output (vm, "allocated %d elts\n", i);
|
||||
|
||||
for (--i; i >= 0; i--)
|
||||
{
|
||||
pool_put_index (pool, i);
|
||||
}
|
||||
|
||||
ALWAYS_ASSERT (pool_free_elts (pool) == this_size);
|
||||
}
|
||||
|
||||
vlib_cli_output (vm, "allocated %d elts\n", i);
|
||||
|
||||
for (--i; i >= 0; i--)
|
||||
{
|
||||
pool_put_index (pool, i);
|
||||
}
|
||||
|
||||
ALWAYS_ASSERT (pool_free_elts (pool) == 2048);
|
||||
|
||||
vlib_cli_output (vm, "Test succeeded...\n");
|
||||
return 0;
|
||||
}
|
||||
|
||||
+1
-1
@@ -97,7 +97,7 @@ _pool_init_fixed (void **pool_ptr, u32 elt_size, u32 max_elts)
|
||||
vh->len = max_elts;
|
||||
|
||||
/* Build the free-index vector */
|
||||
vh = (vec_header_t *) (v + vector_size);
|
||||
vh = (vec_header_t *) ((u8 *) fh + vector_size);
|
||||
vh->len = max_elts;
|
||||
fi = (u32 *) (vh + 1);
|
||||
|
||||
|
||||
Reference in New Issue
Block a user