bitmap: fix buffer overrun in bitmap init

[ upstream commit 1ffd3bc ] Bitmap initialization function is allowed to memset() caller-provided buffer with number of bytes exceeded this buffer size. This happens due to wrong comparison sign between buffer size and number of bytes required to initialize bitmap. Fixes: 602c9ca ("sched: bitmap is now dynamically allocated") Reported-by: Andy Moreton <amoreton@xilinx.com> Signed-off-by: Ivan Ilchenko <ivan.ilchenko@oktetlabs.ru> Reviewed-by: Andy Moreton <amoreton@xilinx.com> Signed-off-by: Andrew Rybchenko <andrew.rybchenko@oktetlabs.ru> Acked-by: Cristian Dumitrescu <cristian.dumitrescu@intel.com>
bluca · Jul 12, 2021 · cd12bf5 · cd12bf5
1 parent 7af7de2
commit cd12bf5
Showing 1 changed file with 1 addition and 2 deletions.
diff --git a/lib/librte_eal/include/rte_bitmap.h b/lib/librte_eal/include/rte_bitmap.h
@@ -185,9 +185,8 @@ rte_bitmap_init(uint32_t n_bits, uint8_t *mem, uint32_t mem_size)
 	size = __rte_bitmap_get_memory_footprint(n_bits,
 		&array1_byte_offset, &array1_slabs,
 		&array2_byte_offset, &array2_slabs);
-	if (size < mem_size) {
+	if (size > mem_size)
 		return NULL;
-	}
 
 	/* Setup bitmap */
 	memset(mem, 0, size);