From patchwork Tue Nov 12 15:18:49 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Maxime Coquelin X-Patchwork-Id: 62892 X-Patchwork-Delegate: maxime.coquelin@redhat.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 171AFA04B6; Tue, 12 Nov 2019 16:19:12 +0100 (CET) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 9B8CA2B99; Tue, 12 Nov 2019 16:19:11 +0100 (CET) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) by dpdk.org (Postfix) with ESMTP id 8F5AF2B96 for ; Tue, 12 Nov 2019 16:19:10 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1573571950; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=hhS052sxe+Wv8LKF+dnGtKJNk19yjUYvyeJe6AAp+Ig=; b=Vi4sEK4vZ+wJva1a51PMQYG7CXP7EbSPE2hXRWMZtskdpplCwG2RYGWdJY//3WwzUgiRDD jswf153g8wMDemQoM2c0IENjb2LmcqrqFJkqmSriuayCueQ0zmQ0QFgX9Wb+miDgUxVoKn OqxOoxS9jaDFRhrnmX/ZnmQe03QEDQ8= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-295-s3Yd1GrNPHGpxWg8a-faWQ-1; Tue, 12 Nov 2019 10:19:06 -0500 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id E306D8D9A32; Tue, 12 Nov 2019 15:19:05 +0000 (UTC) Received: from localhost.localdomain (ovpn-112-39.ams2.redhat.com [10.36.112.39]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3E10ABEA73; Tue, 12 Nov 2019 15:18:56 +0000 (UTC) From: Maxime Coquelin To: dev@dpdk.org, stable@dpdk.org Cc: Stefan Hajnoczi , Maxime Coquelin Date: Tue, 12 Nov 2019 16:18:49 +0100 Message-Id: <20191112151852.27341-1-maxime.coquelin@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-MC-Unique: s3Yd1GrNPHGpxWg8a-faWQ-1 X-Mimecast-Spam-Score: 0 Subject: [dpdk-dev] [v16.11 PATCH v2 1/4] vhost: validate virtqueue size X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" From: Stefan Hajnoczi [ backported from upstream commit eb7c574b21cc92792ea5a1f219ddf6dd3cf3b1e1 ] Check the virtqueue size constraints so that invalid values don't cause bugs later on in the code. For example, sometimes the virtqueue size is stored as unsigned int and sometimes as uint16_t, so bad things happen if it is ever larger than 65535. Signed-off-by: Stefan Hajnoczi Reviewed-by: Maxime Coquelin --- lib/librte_vhost/vhost_user.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c index 618d413fe1..8a01c295e7 100644 --- a/lib/librte_vhost/vhost_user.c +++ b/lib/librte_vhost/vhost_user.c @@ -189,6 +189,17 @@ vhost_user_set_vring_num(struct virtio_net *dev, vq->size = state->num; + /* VIRTIO 1.0, 2.4 Virtqueues says: + * + * Queue Size value is always a power of 2. The maximum Queue Size + * value is 32768. + */ + if ((vq->size & (vq->size - 1)) || vq->size > 32768) { + RTE_LOG(ERR, VHOST_CONFIG, + "invalid virtqueue size %u\n", vq->size); + return -1; + } + if (dev->dequeue_zero_copy) { vq->nr_zmbuf = 0; vq->last_zmbuf_idx = 0; From patchwork Tue Nov 12 15:18:50 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Maxime Coquelin X-Patchwork-Id: 62893 X-Patchwork-Delegate: maxime.coquelin@redhat.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 7F36FA04B6; Tue, 12 Nov 2019 16:19:20 +0100 (CET) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id AA9D82BAF; Tue, 12 Nov 2019 16:19:13 +0100 (CET) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) by dpdk.org (Postfix) with ESMTP id D708C2B99 for ; Tue, 12 Nov 2019 16:19:10 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1573571950; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=tEKjZZ3WFM1Z5hy4Oo9vMmQNfKGV44eyW0NF/sHMWbE=; b=TAJe/5bh3/18uSuSvfFLBWJiDbHw3FqXBaqfgTIPt4wBd8988s5gXFRQ/wWCOQFtoZhCKi 3qEWS//KVkCieI+6ypqQx4peMEC7ROFYj/WnrZswZ97d9ZOhObYYbyddWtnNQGNKLa5jHH EzlyohYiZes+wygZ4xuEACdttzFiY34= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-20-7cOSCngNNPKFnRUqj73LzQ-1; Tue, 12 Nov 2019 10:19:08 -0500 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 08ED610C76FD; Tue, 12 Nov 2019 15:19:08 +0000 (UTC) Received: from localhost.localdomain (ovpn-112-39.ams2.redhat.com [10.36.112.39]) by smtp.corp.redhat.com (Postfix) with ESMTP id 96C8A63BA9; Tue, 12 Nov 2019 15:19:06 +0000 (UTC) From: Maxime Coquelin To: dev@dpdk.org, stable@dpdk.org Cc: Maxime Coquelin , "Dr . David Alan Gilbert" Date: Tue, 12 Nov 2019 16:18:50 +0100 Message-Id: <20191112151852.27341-2-maxime.coquelin@redhat.com> In-Reply-To: <20191112151852.27341-1-maxime.coquelin@redhat.com> References: <20191112151852.27341-1-maxime.coquelin@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-MC-Unique: 7cOSCngNNPKFnRUqj73LzQ-1 X-Mimecast-Spam-Score: 0 Subject: [dpdk-dev] [v16.11 PATCH v2 2/4] vhost: add number of fds to vhost-user messages X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" As soon as some ancillary data (fds) are received, it is copied without checking its length. This patch adds the number of fds received to the message, which is set in read_vhost_message(). This is preliminary work to support sending fds to Qemu. Signed-off-by: Dr. David Alan Gilbert Signed-off-by: Maxime Coquelin (cherry picked from commit c00bb88d35fe975ede0ea35bdf4f765a2cece7e8) Signed-off-by: Maxime Coquelin --- lib/librte_vhost/socket.c | 22 +++++++++++++++++----- lib/librte_vhost/vhost_user.c | 2 +- lib/librte_vhost/vhost_user.h | 4 +++- 3 files changed, 21 insertions(+), 7 deletions(-) diff --git a/lib/librte_vhost/socket.c b/lib/librte_vhost/socket.c index 805b2e5b23..4a19280fb3 100644 --- a/lib/librte_vhost/socket.c +++ b/lib/librte_vhost/socket.c @@ -101,17 +101,23 @@ static struct vhost_user vhost_user = { .mutex = PTHREAD_MUTEX_INITIALIZER, }; -/* return bytes# of read on success or negative val on failure. */ +/* + * return bytes# of read on success or negative val on failure. Update fdnum + * with number of fds read. + */ int -read_fd_message(int sockfd, char *buf, int buflen, int *fds, int fd_num) +read_fd_message(int sockfd, char *buf, int buflen, int *fds, int max_fds, + int *fd_num) { struct iovec iov; struct msghdr msgh; - size_t fdsize = fd_num * sizeof(int); - char control[CMSG_SPACE(fdsize)]; + char control[CMSG_SPACE(max_fds * sizeof(int))]; struct cmsghdr *cmsg; + int got_fds = 0; int ret; + *fd_num = 0; + memset(&msgh, 0, sizeof(msgh)); iov.iov_base = buf; iov.iov_len = buflen; @@ -136,11 +142,17 @@ read_fd_message(int sockfd, char *buf, int buflen, int *fds, int fd_num) cmsg = CMSG_NXTHDR(&msgh, cmsg)) { if ((cmsg->cmsg_level == SOL_SOCKET) && (cmsg->cmsg_type == SCM_RIGHTS)) { - memcpy(fds, CMSG_DATA(cmsg), fdsize); + got_fds = (cmsg->cmsg_len - CMSG_LEN(0)) / sizeof(int); + *fd_num = got_fds; + memcpy(fds, CMSG_DATA(cmsg), got_fds * sizeof(int)); break; } } + /* Clear out unused file descriptors */ + while (got_fds < max_fds) + fds[got_fds++] = -1; + return ret; } diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c index 8a01c295e7..b8f6a9fba5 100644 --- a/lib/librte_vhost/vhost_user.c +++ b/lib/librte_vhost/vhost_user.c @@ -963,7 +963,7 @@ read_vhost_message(int sockfd, struct VhostUserMsg *msg) int ret; ret = read_fd_message(sockfd, (char *)msg, VHOST_USER_HDR_SIZE, - msg->fds, VHOST_MEMORY_MAX_NREGIONS); + msg->fds, VHOST_MEMORY_MAX_NREGIONS, &msg->fd_num); if (ret <= 0) return ret; diff --git a/lib/librte_vhost/vhost_user.h b/lib/librte_vhost/vhost_user.h index ba78d32684..ea9d304f82 100644 --- a/lib/librte_vhost/vhost_user.h +++ b/lib/librte_vhost/vhost_user.h @@ -110,6 +110,7 @@ typedef struct VhostUserMsg { VhostUserLog log; } payload; int fds[VHOST_MEMORY_MAX_NREGIONS]; + int fd_num; } __attribute((packed)) VhostUserMsg; #define VHOST_USER_HDR_SIZE offsetof(VhostUserMsg, payload.u64) @@ -122,7 +123,8 @@ typedef struct VhostUserMsg { int vhost_user_msg_handler(int vid, int fd); /* socket.c */ -int read_fd_message(int sockfd, char *buf, int buflen, int *fds, int fd_num); +int read_fd_message(int sockfd, char *buf, int buflen, int *fds, int max_fds, + int *fd_num); int send_fd_message(int sockfd, char *buf, int buflen, int *fds, int fd_num); #endif From patchwork Tue Nov 12 15:18:51 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Maxime Coquelin X-Patchwork-Id: 62894 X-Patchwork-Delegate: maxime.coquelin@redhat.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 67E39A04B6; Tue, 12 Nov 2019 16:19:30 +0100 (CET) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id ADB632BF1; Tue, 12 Nov 2019 16:19:16 +0100 (CET) Received: from us-smtp-delivery-1.mimecast.com (us-smtp-2.mimecast.com [207.211.31.81]) by dpdk.org (Postfix) with ESMTP id 258992BC8 for ; Tue, 12 Nov 2019 16:19:15 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1573571954; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=pTwYAtlciD5eaOrEMOa/82tuR1sjf0NC8wAmQ/V/t/0=; b=JlWVrMORb35b9W935QyNtrhU00DpyZ0r+EDoJHWkmuJP2PD739fLTLBDXiRGofyhZVR8Is r8kg1hCBhMKhIwzDTd0L/BlTC4vQJPuA2VPdDuQLHOzlSfrErTxHDdlqSrRf5AcbkJx6NK P6vioXoNu/k3G2mGcPWycGC9kxlN2Bk= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-421-LyEhc0DyOrOzZ8OeBuzvew-1; Tue, 12 Nov 2019 10:19:11 -0500 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 0949C1320CD; Tue, 12 Nov 2019 15:19:11 +0000 (UTC) Received: from localhost.localdomain (ovpn-112-39.ams2.redhat.com [10.36.112.39]) by smtp.corp.redhat.com (Postfix) with ESMTP id 6F85C63641; Tue, 12 Nov 2019 15:19:08 +0000 (UTC) From: Maxime Coquelin To: dev@dpdk.org, stable@dpdk.org Cc: Maxime Coquelin , Jason Wang Date: Tue, 12 Nov 2019 16:18:51 +0100 Message-Id: <20191112151852.27341-3-maxime.coquelin@redhat.com> In-Reply-To: <20191112151852.27341-1-maxime.coquelin@redhat.com> References: <20191112151852.27341-1-maxime.coquelin@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-MC-Unique: LyEhc0DyOrOzZ8OeBuzvew-1 X-Mimecast-Spam-Score: 0 Subject: [dpdk-dev] [v16.11 PATCH v2 3/4] vhost: fix possible denial of service on SET_VRING_NUM X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" vhost_user_set_vring_num() performs multiple allocations without checking whether data were previously allocated. It may cause a denial of service because of the memory leaks that happen if a malicious vhost-user master keeps sending VHOST_USER_SET_VRING_NUM request until the slave runs out of memory. This issue has been assigned CVE-2019-14818 Reported-by: Jason Wang Signed-off-by: Maxime Coquelin --- lib/librte_vhost/vhost_user.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c index b8f6a9fba5..cebc72f78f 100644 --- a/lib/librte_vhost/vhost_user.c +++ b/lib/librte_vhost/vhost_user.c @@ -204,6 +204,8 @@ vhost_user_set_vring_num(struct virtio_net *dev, vq->nr_zmbuf = 0; vq->last_zmbuf_idx = 0; vq->zmbuf_size = vq->size; + if (vq->zmbufs) + rte_free(vq->zmbufs); vq->zmbufs = rte_zmalloc(NULL, vq->zmbuf_size * sizeof(struct zcopy_mbuf), 0); if (vq->zmbufs == NULL) { @@ -213,7 +215,8 @@ vhost_user_set_vring_num(struct virtio_net *dev, dev->dequeue_zero_copy = 0; } } - + if (vq->shadow_used_ring) + rte_free(vq->shadow_used_ring); vq->shadow_used_ring = rte_malloc(NULL, vq->size * sizeof(struct vring_used_elem), RTE_CACHE_LINE_SIZE); From patchwork Tue Nov 12 15:18:52 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Maxime Coquelin X-Patchwork-Id: 62895 X-Patchwork-Delegate: maxime.coquelin@redhat.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id BA077A04B6; Tue, 12 Nov 2019 16:19:39 +0100 (CET) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id C70352BEA; Tue, 12 Nov 2019 16:19:18 +0100 (CET) Received: from us-smtp-delivery-1.mimecast.com (us-smtp-2.mimecast.com [205.139.110.61]) by dpdk.org (Postfix) with ESMTP id 7F3562BF1 for ; Tue, 12 Nov 2019 16:19:15 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1573571954; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=F4AbeOnmSMbXgrCJC7iparFLB4KABYIp1q/9Zj2ByRg=; b=hoR5Fa4d1Pj3kcB22hvRTG+YYV4xgjmbwdRv6gSYAYa0X7nLFribcJ0kCiKpdkN7/KLOh6 HpX8166rVA9plw7tbBZPEZNsmsZ+yGKbSTw5JPLCIR9uTZalJYL1OQx5UZXLNlhlaC5Vov Ck/0JYCvWn6elburYg9IGhr+qJH7ajA= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-394-sY7BW2IrPSmVDOroPrQImw-1; Tue, 12 Nov 2019 10:19:13 -0500 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id CD06D1010E00; Tue, 12 Nov 2019 15:19:12 +0000 (UTC) Received: from localhost.localdomain (ovpn-112-39.ams2.redhat.com [10.36.112.39]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8039E54560; Tue, 12 Nov 2019 15:19:11 +0000 (UTC) From: Maxime Coquelin To: dev@dpdk.org, stable@dpdk.org Cc: Maxime Coquelin Date: Tue, 12 Nov 2019 16:18:52 +0100 Message-Id: <20191112151852.27341-4-maxime.coquelin@redhat.com> In-Reply-To: <20191112151852.27341-1-maxime.coquelin@redhat.com> References: <20191112151852.27341-1-maxime.coquelin@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-MC-Unique: sY7BW2IrPSmVDOroPrQImw-1 X-Mimecast-Spam-Score: 0 Subject: [dpdk-dev] [v16.11 PATCH v2 4/4] vhost: fix possible denial of service by leaking FDs X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" A malicious Vhost-user master could send in loop hand-crafted vhost-user messages containing more file descriptors the vhost-user slave expects. Doing so causes the application using the vhost-user library to run out of FDs. This issue has been assigned CVE-2019-14818 Fixes: 8f972312b8f4 ("vhost: support vhost-user") Signed-off-by: Maxime Coquelin --- lib/librte_vhost/vhost_user.c | 87 +++++++++++++++++++++++++++++++++++ 1 file changed, 87 insertions(+) diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c index cebc72f78f..a6ab131543 100644 --- a/lib/librte_vhost/vhost_user.c +++ b/lib/librte_vhost/vhost_user.c @@ -75,6 +75,36 @@ static const char *vhost_message_str[VHOST_USER_MAX] = { [VHOST_USER_SEND_RARP] = "VHOST_USER_SEND_RARP", }; +static void +close_msg_fds(struct VhostUserMsg *msg) +{ + int i; + + for (i = 0; i < msg->fd_num; i++) + close(msg->fds[i]); +} + +/* + * Ensure the expected number of FDs is received, + * close all FDs and return an error if this is not the case. + */ +static int +validate_msg_fds(struct VhostUserMsg *msg, int expected_fds) +{ + if (msg->fd_num == expected_fds) + return 0; + + RTE_LOG(ERR, VHOST_CONFIG, + " Expect %d FDs for request %s, received %d\n", + expected_fds, + vhost_message_str[msg->request], + msg->fd_num); + + close_msg_fds(msg); + + return -1; +} + static uint64_t get_blk_size(int fd) { @@ -1104,35 +1134,59 @@ vhost_user_msg_handler(int vid, int fd) ret = 0; switch (msg.request) { case VHOST_USER_GET_FEATURES: + if (validate_msg_fds(&msg, 0) != 0) + return -1; + msg.payload.u64 = vhost_user_get_features(); msg.size = sizeof(msg.payload.u64); send_vhost_message(fd, &msg); break; case VHOST_USER_SET_FEATURES: + if (validate_msg_fds(&msg, 0) != 0) + return -1; + ret = vhost_user_set_features(dev, msg.payload.u64); break; case VHOST_USER_GET_PROTOCOL_FEATURES: + if (validate_msg_fds(&msg, 0) != 0) + return -1; + msg.payload.u64 = VHOST_USER_PROTOCOL_FEATURES; msg.size = sizeof(msg.payload.u64); send_vhost_message(fd, &msg); break; case VHOST_USER_SET_PROTOCOL_FEATURES: + if (validate_msg_fds(&msg, 0) != 0) + return -1; + ret = vhost_user_set_protocol_features(dev, msg.payload.u64); break; case VHOST_USER_SET_OWNER: + if (validate_msg_fds(&msg, 0) != 0) + return -1; + ret = vhost_user_set_owner(); break; case VHOST_USER_RESET_OWNER: + if (validate_msg_fds(&msg, 0) != 0) + return -1; + ret = vhost_user_reset_owner(dev); break; case VHOST_USER_SET_MEM_TABLE: + if (validate_msg_fds(&msg, msg.payload.memory.nregions) != 0) + return -1; + vhost_user_set_mem_table(dev, &msg); break; case VHOST_USER_SET_LOG_BASE: + if (validate_msg_fds(&msg, 1) != 0) + return -1; + ret = vhost_user_set_log_base(dev, &msg); if (ret) break; @@ -1144,21 +1198,36 @@ vhost_user_msg_handler(int vid, int fd) send_vhost_message(fd, &msg); break; case VHOST_USER_SET_LOG_FD: + if (validate_msg_fds(&msg, 1) != 0) + return -1; + close(msg.fds[0]); RTE_LOG(INFO, VHOST_CONFIG, "not implemented.\n"); break; case VHOST_USER_SET_VRING_NUM: + if (validate_msg_fds(&msg, 0) != 0) + return -1; + ret = vhost_user_set_vring_num(dev, &msg.payload.state); break; case VHOST_USER_SET_VRING_ADDR: + if (validate_msg_fds(&msg, 0) != 0) + return -1; + ret = vhost_user_set_vring_addr(&dev, &msg.payload.addr); break; case VHOST_USER_SET_VRING_BASE: + if (validate_msg_fds(&msg, 0) != 0) + return -1; + ret = vhost_user_set_vring_base(dev, &msg.payload.state); break; case VHOST_USER_GET_VRING_BASE: + if (validate_msg_fds(&msg, 0) != 0) + return -1; + ret = vhost_user_get_vring_base(dev, &msg.payload.state); if (ret) break; @@ -1167,28 +1236,46 @@ vhost_user_msg_handler(int vid, int fd) break; case VHOST_USER_SET_VRING_KICK: + if (validate_msg_fds(&msg, 1) != 0) + return -1; + ret = vhost_user_set_vring_kick(dev, &msg); break; case VHOST_USER_SET_VRING_CALL: + if (validate_msg_fds(&msg, 1) != 0) + return -1; + vhost_user_set_vring_call(dev, &msg); break; case VHOST_USER_SET_VRING_ERR: + if (validate_msg_fds(&msg, 1) != 0) + return -1; + if (!(msg.payload.u64 & VHOST_USER_VRING_NOFD_MASK)) close(msg.fds[0]); RTE_LOG(INFO, VHOST_CONFIG, "not implemented\n"); break; case VHOST_USER_GET_QUEUE_NUM: + if (validate_msg_fds(&msg, 0) != 0) + return -1; + msg.payload.u64 = VHOST_MAX_QUEUE_PAIRS; msg.size = sizeof(msg.payload.u64); send_vhost_message(fd, &msg); break; case VHOST_USER_SET_VRING_ENABLE: + if (validate_msg_fds(&msg, 0) != 0) + return -1; + ret = vhost_user_set_vring_enable(dev, &msg.payload.state); break; case VHOST_USER_SEND_RARP: + if (validate_msg_fds(&msg, 0) != 0) + return -1; + ret = vhost_user_send_rarp(dev, &msg); break;