It is possible to get an integer overflow if we try to reserve a memzone
with len = 0 (meaning the maximum contiguous space available) and the
maximum available elem size is less than (MALLOC_ELEM_OVERHEAD + align).
Issue reported by Coverity:
>>> 10. overflow: Subtract operation overflows on operands len and
>>> 64UL.
>>> CID 107111 (#1 of 1): Overflowed return value (INTEGER_OVERFLOW)
>>> 11. overflow_sink: Overflowed or truncated value (or a value
>>> computed from an overflowed or truncated value)
>>> len - 64UL - align used as return value.
122 return len - MALLOC_ELEM_OVERHEAD - align;
Fixes: fafcc11985a2 ("mem: rework memzone to be allocated by malloc")
Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy at intel.com>
---
lib/librte_eal/common/eal_common_memzone.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/lib/librte_eal/common/eal_common_memzone.c
b/lib/librte_eal/common/eal_common_memzone.c
index 452679e..5d28341 100644
--- a/lib/librte_eal/common/eal_common_memzone.c
+++ b/lib/librte_eal/common/eal_common_memzone.c
@@ -119,6 +119,9 @@ find_heap_max_free_elem(int *s, unsigned align)
}
}
+ if (len < MALLOC_ELEM_OVERHEAD + align)
+ return 0;
+
return len - MALLOC_ELEM_OVERHEAD - align;
}
@@ -197,8 +200,13 @@ memzone_reserve_aligned_thread_unsafe(const char *name,
size_t len,
if (len == 0) {
if (bound != 0)
requested_len = bound;
- else
+ else {
requested_len = find_heap_max_free_elem(&socket_id,
align);
+ if (requested_len == 0) {
+ rte_errno = ENOMEM;
+ return NULL;
+ }
+ }
}
if (socket_id == SOCKET_ID_ANY)
--
2.4.11
