The sum of offset + length, both 32 bit unsigned integers, could wrap
around, causing comparisons to give the wrong result.
This was fixed by using 64 bit instead of 32 bit for calculating the sum.
Note:
When the branch is not taken for the initial "if ((uint64_t)off + len >
rte_pktmbuf_pkt_len(m))" comparison, the sum is known to not exceed the
maximum possible value of rte_pktmbuf_pkt_len(m), UINT32_MAX, and
following sum calculations can proceed using 32 bit.
Fixes: b84110e7baa2 ("mbuf: add function to read packet data")
Cc: [email protected]
Signed-off-by: Morten Brørup <[email protected]>
---
lib/mbuf/rte_mbuf.c | 2 +-
lib/mbuf/rte_mbuf.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/mbuf/rte_mbuf.c b/lib/mbuf/rte_mbuf.c
index a5d16e4c97..c2476e7704 100644
--- a/lib/mbuf/rte_mbuf.c
+++ b/lib/mbuf/rte_mbuf.c
@@ -795,7 +795,7 @@ const void *__rte_pktmbuf_read(const struct rte_mbuf *m,
uint32_t off,
const struct rte_mbuf *seg = m;
uint32_t buf_off = 0, copy_len;
- if (off + len > rte_pktmbuf_pkt_len(m))
+ if ((uint64_t)off + len > rte_pktmbuf_pkt_len(m))
return NULL;
while (off >= rte_pktmbuf_data_len(seg)) {
diff --git a/lib/mbuf/rte_mbuf.h b/lib/mbuf/rte_mbuf.h
index 592af2388c..d6602f74bc 100644
--- a/lib/mbuf/rte_mbuf.h
+++ b/lib/mbuf/rte_mbuf.h
@@ -1843,7 +1843,7 @@ const void *__rte_pktmbuf_read(const struct rte_mbuf *m,
uint32_t off,
static inline const void *rte_pktmbuf_read(const struct rte_mbuf *m,
uint32_t off, uint32_t len, void *buf)
{
- if (likely(off + len <= rte_pktmbuf_data_len(m)))
+ if (likely((uint64_t)off + len <= rte_pktmbuf_data_len(m)))
return rte_pktmbuf_mtod_offset(m, char *, off);
else
return __rte_pktmbuf_read(m, off, len, buf);
--
2.43.0
