[5/6] vhost/crypto: fix data length check
diff mbox series

Message ID 20200928105918.740807-5-ferruh.yigit@intel.com
State Accepted, archived
Delegated to: Thomas Monjalon
Headers show
  • [1/6] vhost/crypto: fix pool allocation
Related show


Context Check Description
ci/checkpatch success coding style OK

Commit Message

Ferruh Yigit Sept. 28, 2020, 10:59 a.m. UTC
From: Fan Zhang <roy.fan.zhang@intel.com>

This patch fixes the incorrect data length check to vhost crypto.
Instead of blindly accepting the descriptor length as data length, the
change compare the request provided data length and descriptor length
first. The security issue CVE-2020-14374 is not fixed alone by this
patch, part of the fix is done through:
"vhost/crypto: fix missed request check for copy mode".

Fixes: 3c79609fda7c ("vhost/crypto: handle virtually non-contiguous buffers")
Cc: stable@dpdk.org

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Chenbo Xia <chenbo.xia@intel.com>
 lib/librte_vhost/vhost_crypto.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff mbox series

diff --git a/lib/librte_vhost/vhost_crypto.c b/lib/librte_vhost/vhost_crypto.c
index f1cc32a9b2..cf9aa2566b 100644
--- a/lib/librte_vhost/vhost_crypto.c
+++ b/lib/librte_vhost/vhost_crypto.c
@@ -624,7 +624,7 @@  copy_data(void *dst_data, struct vhost_crypto_data_req *vc_req,
 		desc = &vc_req->head[desc->next];
 		to_copy = RTE_MIN(desc->len, (uint32_t)left);
-		dlen = desc->len;
+		dlen = to_copy;
 		src = IOVA_TO_VVA(uint8_t *, vc_req, desc->addr, &dlen,
 		if (unlikely(!src || !dlen)) {