It is possible to get an integer overflow if we try to reserve a memzone with len = 0 (meaning the maximum contiguous space available) and the maximum available elem size is less than (MALLOC_ELEM_OVERHEAD + align).
Issue reported by Coverity: >>> 10. overflow: Subtract operation overflows on operands len and >>> 64UL. >>> CID 107111 (#1 of 1): Overflowed return value (INTEGER_OVERFLOW) >>> 11. overflow_sink: Overflowed or truncated value (or a value >>> computed from an overflowed or truncated value) >>> len - 64UL - align used as return value. 122 return len - MALLOC_ELEM_OVERHEAD - align; Fixes: fafcc11985a2 ("mem: rework memzone to be allocated by malloc") Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy at intel.com> --- lib/librte_eal/common/eal_common_memzone.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/lib/librte_eal/common/eal_common_memzone.c b/lib/librte_eal/common/eal_common_memzone.c index 452679e..5d28341 100644 --- a/lib/librte_eal/common/eal_common_memzone.c +++ b/lib/librte_eal/common/eal_common_memzone.c @@ -119,6 +119,9 @@ find_heap_max_free_elem(int *s, unsigned align) } } + if (len < MALLOC_ELEM_OVERHEAD + align) + return 0; + return len - MALLOC_ELEM_OVERHEAD - align; } @@ -197,8 +200,13 @@ memzone_reserve_aligned_thread_unsafe(const char *name, size_t len, if (len == 0) { if (bound != 0) requested_len = bound; - else + else { requested_len = find_heap_max_free_elem(&socket_id, align); + if (requested_len == 0) { + rte_errno = ENOMEM; + return NULL; + } + } } if (socket_id == SOCKET_ID_ANY) -- 2.4.11