diff options
| author | Vincenzo Maffione <vmaffione@FreeBSD.org> | 2021-01-10 13:49:51 +0000 |
|---|---|---|
| committer | Vincenzo Maffione <vmaffione@FreeBSD.org> | 2021-01-10 13:59:20 +0000 |
| commit | 4ba9ad0dc316940f32065b05f24259f942c0692d (patch) | |
| tree | 5640d68e56209f2b3b77c7c80d5561813a2e35da | |
| parent | 4f2cbaf3cd5900b06d3b5ad97db1962ec4fa0ffd (diff) | |
| download | src-4ba9ad0dc316940f32065b05f24259f942c0692d.tar.gz src-4ba9ad0dc316940f32065b05f24259f942c0692d.zip | |
iflib: add assert to prevent out-of-bounds array access
The iflib_queues_alloc() allocates isc_nrxqs iflib_dma_info structs
for each rxqset, and links each struct to a different free list.
As a result, it must be isc_nrxqs >= isc_nfl (plus the completion
queue, if present).
Add an assertion to make this constraint explicit.
MFC after: 2 weeks
| -rw-r--r-- | sys/net/iflib.c | 9 |
1 files changed, 4 insertions, 5 deletions
diff --git a/sys/net/iflib.c b/sys/net/iflib.c index 3de80ecaeb0c..e53c5031d3a7 100644 --- a/sys/net/iflib.c +++ b/sys/net/iflib.c @@ -5547,11 +5547,14 @@ iflib_queues_alloc(if_ctx_t ctx) uint8_t nrxqs = sctx->isc_nrxqs; uint8_t ntxqs = sctx->isc_ntxqs; int nfree_lists = sctx->isc_nfl ? sctx->isc_nfl : 1; + int fl_offset = (sctx->isc_flags & IFLIB_HAS_RXCQ ? 1 : 0); caddr_t *vaddrs; uint64_t *paddrs; KASSERT(ntxqs > 0, ("number of queues per qset must be at least 1")); KASSERT(nrxqs > 0, ("number of queues per qset must be at least 1")); + KASSERT(nrxqs >= fl_offset + nfree_lists, + ("there must be at least a rxq for each free list")); /* Allocate the TX ring struct memory */ if (!(ctx->ifc_txqs = @@ -5659,11 +5662,7 @@ iflib_queues_alloc(if_ctx_t ctx) } rxq->ifr_ctx = ctx; rxq->ifr_id = i; - if (sctx->isc_flags & IFLIB_HAS_RXCQ) { - rxq->ifr_fl_offset = 1; - } else { - rxq->ifr_fl_offset = 0; - } + rxq->ifr_fl_offset = fl_offset; rxq->ifr_nfl = nfree_lists; if (!(fl = (iflib_fl_t) malloc(sizeof(struct iflib_fl) * nfree_lists, M_IFLIB, M_NOWAIT | M_ZERO))) { |