Juniper Openstack

DPDK vrouter: Incorrect size in sprintf causes memory corruption

  1. Series r4.0
  2. Bug #1710864
Bug #1710864 reported by Sergey Kreys
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R4.0
Fix Committed
Undecided
Unassigned
Juniper Openstack r4.0.1.0 "r4.0.1.0"
Trunk
Fix Committed
Undecided
Unassigned
Juniper Openstack r4.1.0.0-fcs "r4.1"
OpenContrail
New
Undecided
Unassigned

Bug Description

We use Contrail 4.0 with DPDK.

contrail-vrouter-dpdk fails with trace
*** Error in `/usr/bin/contrail-vrouter-dpdk': corrupted size vs. prev_size: 0x0000000006722030 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f01a5bae7e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x82aec)[0x7f01a5bb9aec]
/lib/x86_64-linux-gnu/libc.so.6(__libc_malloc+0x54)[0x7f01a5bbb184]
/lib/x86_64-linux-gnu/libc.so.6(__strdup+0x1a)[0x7f01a5bc248a]
/usr/bin/contrail-vrouter-dpdk[0x430021]
/usr/bin/contrail-vrouter-dpdk[0x40b74e]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f01a5b57830]
/usr/bin/contrail-vrouter-dpdk[0x40c0a9]

The root cause is in memory corruption, that is done by malloc & sprintf in dpdk/vr_dpdk_table_mem.c L204-205:
            file_name = malloc(strlen(hpi->mnt) + strlen(hp_file_name) + 1);
            sprintf(file_name, "%s/%s", hpi->mnt, hp_file_name);

Size in malloc should be "+ 2" not "+ 1".

Tags: vrouter
Sergey Kreys (skreys)
summary: - DPDK vrouter: Incorrect size in snprintf causes memory corruption
+ DPDK vrouter: Incorrect size in sprintf causes memory corruption
Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/34584
Submitter: Sergey Kreys (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/34584
Committed: http://github.com/Juniper/contrail-vrouter/commit/cb881abeec01b51ae6c3303b11c3fbcf782ee75b
Submitter: Zuul (<email address hidden>)
Branch: master

commit cb881abeec01b51ae6c3303b11c3fbcf782ee75b
Author: Sergey Kreys <email address hidden>
Date: Tue Aug 15 14:33:15 2017 +0300

Fix size of file_name in vr_dpdk_table_mem.c

Change-Id: I8301701022ab0988af2752fdfdfc5d770df9d229
Closes-bug: #1710864

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R4.0

Review in progress for https://review.opencontrail.org/34629
Submitter: Sergey Kreys (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/34629
Committed: http://github.com/Juniper/contrail-vrouter/commit/9aa9af2c026c8335437769054fa2d150522a9952
Submitter: Zuul (<email address hidden>)
Branch: R4.0

commit 9aa9af2c026c8335437769054fa2d150522a9952
Author: Sergey Kreys <email address hidden>
Date: Tue Aug 15 14:33:15 2017 +0300

Fix size of file_name in vr_dpdk_table_mem.c

Change-Id: I8301701022ab0988af2752fdfdfc5d770df9d229
Closes-bug: #1710864
(cherry picked from commit cb881abeec01b51ae6c3303b11c3fbcf782ee75b)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.