diff mbox series

答复: [dpdk-dev] [PATCH] net/bonding: fix array overflow in Rx burst

Message ID 5001c75008d9423c885747b51cb1ad55@huawei.com (mailing list archive)
State Not Applicable, archived
Delegated to: Andrew Rybchenko
Headers
Series 答复: [dpdk-dev] [PATCH] net/bonding: fix array overflow in Rx burst |

Checks

Context Check Description
ci/Intel-compilation success Compilation OK
ci/iol-testing warning apply patch failure
ci/intel-Testing success Testing PASS

Commit Message

humin (Q) July 20, 2022, 1:28 a.m. UTC 
  Acked-by: Min Hu (Connor) <humin29@huawei.com>

-----邮件原件-----
发件人: wangyunjian <wangyunjian@huawei.com> 
发送时间: 2022年7月18日 21:09
收件人: dev@dpdk.org
抄送: chas3@att.com; humin (Q) <humin29@huawei.com>; Huangshaozhang <huangshaozhang@huawei.com>; jilei (F) <jilei8@huawei.com>; wangyunjian <wangyunjian@huawei.com>; stable@dpdk.org
主题: [dpdk-dev] [PATCH] net/bonding: fix array overflow in Rx burst

In bond_ethdev_rx_burst() function, we check the validity of the 'active_slave' as this code:
if (++active_slave == slave_count)
	active_slave = 0;
However, the value of 'active_slave' maybe equal to 'slave_count', when a slave is down. This is wrong and it can cause buffer overflow.
This patch fixes the issue by using '>=' instead of '=='.

Fixes: e1110e977648 ("net/bonding: fix Rx slave fairness")
Cc: stable@dpdk.org

Signed-off-by: Lei Ji <jilei8@huawei.com>
Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
---
 drivers/net/bonding/rte_eth_bond_pmd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--
2.27.0

Comments

Ferruh Yigit Aug. 25, 2022, 4:39 p.m. UTC | #1 
On 7/20/2022 2:28 AM, humin (Q) wrote:

> -----邮件原件-----
> 发件人: wangyunjian <wangyunjian@huawei.com>
> 发送时间: 2022年7月18日 21:09
> 收件人: dev@dpdk.org
> 抄送: chas3@att.com; humin (Q) <humin29@huawei.com>; Huangshaozhang <huangshaozhang@huawei.com>; jilei (F) <jilei8@huawei.com>; wangyunjian <wangyunjian@huawei.com>; stable@dpdk.org
> 主题: [dpdk-dev] [PATCH] net/bonding: fix array overflow in Rx burst
> 
> In bond_ethdev_rx_burst() function, we check the validity of the 'active_slave' as this code:
> if (++active_slave == slave_count)
> 	active_slave = 0;
> However, the value of 'active_slave' maybe equal to 'slave_count', when a slave is down. This is wrong and it can cause buffer overflow.
> This patch fixes the issue by using '>=' instead of '=='.
> 
> Fixes: e1110e977648 ("net/bonding: fix Rx slave fairness")
> Cc: stable@dpdk.org
> 
> Signed-off-by: Lei Ji <jilei8@huawei.com>
> Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
 >
 > Acked-by: Min Hu (Connor) <humin29@huawei.com>
 >

Applied to dpdk-next-net/main, thanks.
diff mbox series

Patch

diff --git a/drivers/net/bonding/rte_eth_bond_pmd.c b/drivers/net/bonding/rte_eth_bond_pmd.c
index 73e6972035..6f8a6da108 100644
--- a/drivers/net/bonding/rte_eth_bond_pmd.c
+++ b/drivers/net/bonding/rte_eth_bond_pmd.c
@@ -82,7 +82,7 @@  bond_ethdev_rx_burst(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts)
 					 bufs + num_rx_total, nb_pkts);
 		num_rx_total += num_rx_slave;
 		nb_pkts -= num_rx_slave;
-		if (++active_slave == slave_count)
+		if (++active_slave >= slave_count)
 			active_slave = 0;
 	}