From patchwork Tue Nov 12 15:19:24 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Maxime Coquelin X-Patchwork-Id: 62896 X-Patchwork-Delegate: maxime.coquelin@redhat.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 6D153A04B6; Tue, 12 Nov 2019 16:19:59 +0100 (CET) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 468FA3772; Tue, 12 Nov 2019 16:19:43 +0100 (CET) Received: from us-smtp-delivery-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.61]) by dpdk.org (Postfix) with ESMTP id 64FA7374E for ; Tue, 12 Nov 2019 16:19:42 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1573571981; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=NzcVwVkejZFzPakZs7pgJCuN8KCaXFlAaf566Ul7v/c=; b=Zcv6jtKTqvEo0lcugqWOgm4yo/UmgLrXa4CPyrZwyCgel3I9vLkE26gfFh+tCJFKLxrWyE 6i5MLwykQ8HzOJLpg7i2UeF9rgLg/xbTuJhCcglUHu9iomu1O+aPE16o3PhWq/8O32mEwW UrDk5XtBsuPUObcbscI2WFmz7AoDhD0= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-156-F5LWUebmM1W7B7Ooa01xXg-1; Tue, 12 Nov 2019 10:19:38 -0500 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 6A3C510D4E5F; Tue, 12 Nov 2019 15:19:37 +0000 (UTC) Received: from localhost.localdomain (ovpn-112-39.ams2.redhat.com [10.36.112.39]) by smtp.corp.redhat.com (Postfix) with ESMTP id 597AF5E244; Tue, 12 Nov 2019 15:19:30 +0000 (UTC) From: Maxime Coquelin To: dev@dpdk.org, stable@dpdk.org Cc: Stefan Hajnoczi , Maxime Coquelin Date: Tue, 12 Nov 2019 16:19:24 +0100 Message-Id: <20191112151927.27418-1-maxime.coquelin@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-MC-Unique: F5LWUebmM1W7B7Ooa01xXg-1 X-Mimecast-Spam-Score: 0 Subject: [dpdk-dev] [v17.11 PATCH v2 1/4] vhost: validate virtqueue size X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" From: Stefan Hajnoczi [ backported from upstream commit eb7c574b21cc92792ea5a1f219ddf6dd3cf3b1e1 ] Check the virtqueue size constraints so that invalid values don't cause bugs later on in the code. For example, sometimes the virtqueue size is stored as unsigned int and sometimes as uint16_t, so bad things happen if it is ever larger than 65535. Signed-off-by: Stefan Hajnoczi Reviewed-by: Maxime Coquelin --- lib/librte_vhost/vhost_user.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c index bb39999aa4..93e871c5bb 100644 --- a/lib/librte_vhost/vhost_user.c +++ b/lib/librte_vhost/vhost_user.c @@ -247,6 +247,17 @@ vhost_user_set_vring_num(struct virtio_net *dev, vq->size = msg->payload.state.num; + /* VIRTIO 1.0, 2.4 Virtqueues says: + * + * Queue Size value is always a power of 2. The maximum Queue Size + * value is 32768. + */ + if ((vq->size & (vq->size - 1)) || vq->size > 32768) { + RTE_LOG(ERR, VHOST_CONFIG, + "invalid virtqueue size %u\n", vq->size); + return -1; + } + if (dev->dequeue_zero_copy) { vq->nr_zmbuf = 0; vq->last_zmbuf_idx = 0; From patchwork Tue Nov 12 15:19:25 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Maxime Coquelin X-Patchwork-Id: 62899 X-Patchwork-Delegate: maxime.coquelin@redhat.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 71A3DA04B6; Tue, 12 Nov 2019 16:20:36 +0100 (CET) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id E467B5681; Tue, 12 Nov 2019 16:19:50 +0100 (CET) Received: from us-smtp-delivery-1.mimecast.com (us-smtp-1.mimecast.com [207.211.31.81]) by dpdk.org (Postfix) with ESMTP id B1E5D397D for ; Tue, 12 Nov 2019 16:19:44 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1573571984; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=bUc5oTy/L8Lfij20yGxxdYXxz4svpEDVBQct1W4u+Ck=; b=PIUHlYF9LAdUQpeKLlrjLmeZHPwyzzVwgSix45iCW+8sFpHkb3Fzx/waVfCiIbLwOTUW7i 51IWH56CvZnZFglpTf6/jMRFcsRWksjbUNAjTJ7PVl2MtU2jrUpKVp7XywYeA0tON3Xxs8 SWYqk4wxBaCc8fXZtBLByu8h8NWoK9Y= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-417-GFvQ7dzLPrWGW4A0x7T1kQ-1; Tue, 12 Nov 2019 10:19:43 -0500 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 452571007273; Tue, 12 Nov 2019 15:19:42 +0000 (UTC) Received: from localhost.localdomain (ovpn-112-39.ams2.redhat.com [10.36.112.39]) by smtp.corp.redhat.com (Postfix) with ESMTP id D3A7B5DDA8; Tue, 12 Nov 2019 15:19:37 +0000 (UTC) From: Maxime Coquelin To: dev@dpdk.org, stable@dpdk.org Cc: Maxime Coquelin , "Dr . David Alan Gilbert" Date: Tue, 12 Nov 2019 16:19:25 +0100 Message-Id: <20191112151927.27418-2-maxime.coquelin@redhat.com> In-Reply-To: <20191112151927.27418-1-maxime.coquelin@redhat.com> References: <20191112151927.27418-1-maxime.coquelin@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-MC-Unique: GFvQ7dzLPrWGW4A0x7T1kQ-1 X-Mimecast-Spam-Score: 0 Subject: [dpdk-dev] [v17.11 PATCH v2 2/4] vhost: add number of fds to vhost-user messages X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" As soon as some ancillary data (fds) are received, it is copied without checking its length. This patch adds the number of fds received to the message, which is set in read_vhost_message(). This is preliminary work to support sending fds to Qemu. Signed-off-by: Dr. David Alan Gilbert Signed-off-by: Maxime Coquelin (cherry picked from commit c00bb88d35fe975ede0ea35bdf4f765a2cece7e8) Signed-off-by: Maxime Coquelin --- lib/librte_vhost/socket.c | 22 +++++++++++++++++----- lib/librte_vhost/vhost_user.c | 2 +- lib/librte_vhost/vhost_user.h | 4 +++- 3 files changed, 21 insertions(+), 7 deletions(-) diff --git a/lib/librte_vhost/socket.c b/lib/librte_vhost/socket.c index 88be697c2f..2fa7ea0e09 100644 --- a/lib/librte_vhost/socket.c +++ b/lib/librte_vhost/socket.c @@ -117,17 +117,23 @@ static struct vhost_user vhost_user = { .mutex = PTHREAD_MUTEX_INITIALIZER, }; -/* return bytes# of read on success or negative val on failure. */ +/* + * return bytes# of read on success or negative val on failure. Update fdnum + * with number of fds read. + */ int -read_fd_message(int sockfd, char *buf, int buflen, int *fds, int fd_num) +read_fd_message(int sockfd, char *buf, int buflen, int *fds, int max_fds, + int *fd_num) { struct iovec iov; struct msghdr msgh; - size_t fdsize = fd_num * sizeof(int); - char control[CMSG_SPACE(fdsize)]; + char control[CMSG_SPACE(max_fds * sizeof(int))]; struct cmsghdr *cmsg; + int got_fds = 0; int ret; + *fd_num = 0; + memset(&msgh, 0, sizeof(msgh)); iov.iov_base = buf; iov.iov_len = buflen; @@ -152,11 +158,17 @@ read_fd_message(int sockfd, char *buf, int buflen, int *fds, int fd_num) cmsg = CMSG_NXTHDR(&msgh, cmsg)) { if ((cmsg->cmsg_level == SOL_SOCKET) && (cmsg->cmsg_type == SCM_RIGHTS)) { - memcpy(fds, CMSG_DATA(cmsg), fdsize); + got_fds = (cmsg->cmsg_len - CMSG_LEN(0)) / sizeof(int); + *fd_num = got_fds; + memcpy(fds, CMSG_DATA(cmsg), got_fds * sizeof(int)); break; } } + /* Clear out unused file descriptors */ + while (got_fds < max_fds) + fds[got_fds++] = -1; + return ret; } diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c index 93e871c5bb..9773691097 100644 --- a/lib/librte_vhost/vhost_user.c +++ b/lib/librte_vhost/vhost_user.c @@ -1248,7 +1248,7 @@ read_vhost_message(int sockfd, struct VhostUserMsg *msg) int ret; ret = read_fd_message(sockfd, (char *)msg, VHOST_USER_HDR_SIZE, - msg->fds, VHOST_MEMORY_MAX_NREGIONS); + msg->fds, VHOST_MEMORY_MAX_NREGIONS, &msg->fd_num); if (ret <= 0) return ret; diff --git a/lib/librte_vhost/vhost_user.h b/lib/librte_vhost/vhost_user.h index 76d9fe2fc5..10b8cc5e1a 100644 --- a/lib/librte_vhost/vhost_user.h +++ b/lib/librte_vhost/vhost_user.h @@ -130,6 +130,7 @@ typedef struct VhostUserMsg { struct vhost_iotlb_msg iotlb; } payload; int fds[VHOST_MEMORY_MAX_NREGIONS]; + int fd_num; } __attribute((packed)) VhostUserMsg; #define VHOST_USER_HDR_SIZE offsetof(VhostUserMsg, payload.u64) @@ -143,7 +144,8 @@ int vhost_user_msg_handler(int vid, int fd); int vhost_user_iotlb_miss(struct virtio_net *dev, uint64_t iova, uint8_t perm); /* socket.c */ -int read_fd_message(int sockfd, char *buf, int buflen, int *fds, int fd_num); +int read_fd_message(int sockfd, char *buf, int buflen, int *fds, int max_fds, + int *fd_num); int send_fd_message(int sockfd, char *buf, int buflen, int *fds, int fd_num); #endif From patchwork Tue Nov 12 15:19:26 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Maxime Coquelin X-Patchwork-Id: 62902 X-Patchwork-Delegate: maxime.coquelin@redhat.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id AED1FA04B6; Tue, 12 Nov 2019 16:21:22 +0100 (CET) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id AAAAA1BE9A; Tue, 12 Nov 2019 16:19:57 +0100 (CET) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) by dpdk.org (Postfix) with ESMTP id C786C58C3 for ; Tue, 12 Nov 2019 16:19:51 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1573571991; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=wUV3RU6e8f3t5fz2Ca/mBlQa8BKpZN3Fd5QtD1nxk0s=; b=J6NndOjvfcsuApLQqC0iGfidXIDbgh4gsmCwoQMAfuAYEbydOML3HLA1LpL8r6YSyjZ1ar HskucaLg5L4XIm9WR2+SsmbWRVLFwk2ENnLfrknNoySpkOHPjTrPZV5agZ19/s58aFfFB4 w4pgrN1Hbu7NLJGu7UhA+d+z73bOhkI= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-317-FwbJZNW0NoiiC4HvodTzIg-1; Tue, 12 Nov 2019 10:19:48 -0500 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 8D7DF1007286; Tue, 12 Nov 2019 15:19:47 +0000 (UTC) Received: from localhost.localdomain (ovpn-112-39.ams2.redhat.com [10.36.112.39]) by smtp.corp.redhat.com (Postfix) with ESMTP id A7FA35DDA8; Tue, 12 Nov 2019 15:19:42 +0000 (UTC) From: Maxime Coquelin To: dev@dpdk.org, stable@dpdk.org Cc: Maxime Coquelin , Jason Wang Date: Tue, 12 Nov 2019 16:19:26 +0100 Message-Id: <20191112151927.27418-3-maxime.coquelin@redhat.com> In-Reply-To: <20191112151927.27418-1-maxime.coquelin@redhat.com> References: <20191112151927.27418-1-maxime.coquelin@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-MC-Unique: FwbJZNW0NoiiC4HvodTzIg-1 X-Mimecast-Spam-Score: 0 Subject: [dpdk-dev] [v17.11 PATCH v2 3/4] vhost: fix possible denial of service on SET_VRING_NUM X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" vhost_user_set_vring_num() performs multiple allocations without checking whether data were previously allocated. It may cause a denial of service because of the memory leaks that happen if a malicious vhost-user master keeps sending VHOST_USER_SET_VRING_NUM request until the slave runs out of memory. This issue has been assigned CVE-2019-14818 Reported-by: Jason Wang Signed-off-by: Maxime Coquelin --- lib/librte_vhost/vhost_user.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c index 9773691097..781734e9e3 100644 --- a/lib/librte_vhost/vhost_user.c +++ b/lib/librte_vhost/vhost_user.c @@ -262,6 +262,8 @@ vhost_user_set_vring_num(struct virtio_net *dev, vq->nr_zmbuf = 0; vq->last_zmbuf_idx = 0; vq->zmbuf_size = vq->size; + if (vq->zmbufs) + rte_free(vq->zmbufs); vq->zmbufs = rte_zmalloc(NULL, vq->zmbuf_size * sizeof(struct zcopy_mbuf), 0); if (vq->zmbufs == NULL) { @@ -271,7 +273,8 @@ vhost_user_set_vring_num(struct virtio_net *dev, dev->dequeue_zero_copy = 0; } } - + if (vq->shadow_used_ring) + rte_free(vq->shadow_used_ring); vq->shadow_used_ring = rte_malloc(NULL, vq->size * sizeof(struct vring_used_elem), RTE_CACHE_LINE_SIZE); @@ -281,6 +284,8 @@ vhost_user_set_vring_num(struct virtio_net *dev, return -1; } + if (vq->batch_copy_elems) + rte_free(vq->batch_copy_elems); vq->batch_copy_elems = rte_malloc(NULL, vq->size * sizeof(struct batch_copy_elem), RTE_CACHE_LINE_SIZE); From patchwork Tue Nov 12 15:19:27 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Maxime Coquelin X-Patchwork-Id: 62903 X-Patchwork-Delegate: maxime.coquelin@redhat.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 2A3D3A04B6; Tue, 12 Nov 2019 16:21:36 +0100 (CET) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 607361BEB9; Tue, 12 Nov 2019 16:19:59 +0100 (CET) Received: from us-smtp-delivery-1.mimecast.com (us-smtp-2.mimecast.com [205.139.110.61]) by dpdk.org (Postfix) with ESMTP id 7B66C5F13 for ; Tue, 12 Nov 2019 16:19:54 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1573571994; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ww/AEYapqWv4x3/nxQTWy8kgwxHTbFNVPekDykTvgm4=; b=UutpH511+hgR4uH7PEL+24j31HIm1o/F+P5ixDYFAhqrYMbwDJoiKexfLvHcAobN9iTWhA G+1AgcEXZxCurc2WSBKcNpbkPW5VQyO4txOG0rotzFZDuULbTWJJXHhJkyn8mn27QIYzk5 Zim/JRgBXBD42UDFW8C2m/9sghsyt3g= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-42-DEUJne21NLKy3WH8i8uEYQ-1; Tue, 12 Nov 2019 10:19:51 -0500 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 2AECA13B327; Tue, 12 Nov 2019 15:19:50 +0000 (UTC) Received: from localhost.localdomain (ovpn-112-39.ams2.redhat.com [10.36.112.39]) by smtp.corp.redhat.com (Postfix) with ESMTP id 39D0F299C0; Tue, 12 Nov 2019 15:19:47 +0000 (UTC) From: Maxime Coquelin To: dev@dpdk.org, stable@dpdk.org Cc: Maxime Coquelin Date: Tue, 12 Nov 2019 16:19:27 +0100 Message-Id: <20191112151927.27418-4-maxime.coquelin@redhat.com> In-Reply-To: <20191112151927.27418-1-maxime.coquelin@redhat.com> References: <20191112151927.27418-1-maxime.coquelin@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-MC-Unique: DEUJne21NLKy3WH8i8uEYQ-1 X-Mimecast-Spam-Score: 0 Subject: [dpdk-dev] [v17.11 PATCH v2 4/4] vhost: fix possible denial of service by leaking FDs X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" A malicious Vhost-user master could send in loop hand-crafted vhost-user messages containing more file descriptors the vhost-user slave expects. Doing so causes the application using the vhost-user library to run out of FDs. This issue has been assigned CVE-2019-14818 Fixes: 8f972312b8f4 ("vhost: support vhost-user") Signed-off-by: Maxime Coquelin --- lib/librte_vhost/vhost_user.c | 95 +++++++++++++++++++++++++++++++++++ 1 file changed, 95 insertions(+) diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c index 781734e9e3..d4643dc350 100644 --- a/lib/librte_vhost/vhost_user.c +++ b/lib/librte_vhost/vhost_user.c @@ -81,6 +81,36 @@ static const char *vhost_message_str[VHOST_USER_MAX] = { [VHOST_USER_IOTLB_MSG] = "VHOST_USER_IOTLB_MSG", }; +static void +close_msg_fds(struct VhostUserMsg *msg) +{ + int i; + + for (i = 0; i < msg->fd_num; i++) + close(msg->fds[i]); +} + +/* + * Ensure the expected number of FDs is received, + * close all FDs and return an error if this is not the case. + */ +static int +validate_msg_fds(struct VhostUserMsg *msg, int expected_fds) +{ + if (msg->fd_num == expected_fds) + return 0; + + RTE_LOG(ERR, VHOST_CONFIG, + " Expect %d FDs for request %s, received %d\n", + expected_fds, + vhost_message_str[msg->request.master], + msg->fd_num); + + close_msg_fds(msg); + + return -1; +} + static uint64_t get_blk_size(int fd) { @@ -1458,34 +1488,58 @@ vhost_user_msg_handler(int vid, int fd) switch (msg.request.master) { case VHOST_USER_GET_FEATURES: + if (validate_msg_fds(&msg, 0) != 0) + return -1; + msg.payload.u64 = vhost_user_get_features(dev); msg.size = sizeof(msg.payload.u64); send_vhost_reply(fd, &msg); break; case VHOST_USER_SET_FEATURES: + if (validate_msg_fds(&msg, 0) != 0) + return -1; + vhost_user_set_features(dev, msg.payload.u64); break; case VHOST_USER_GET_PROTOCOL_FEATURES: + if (validate_msg_fds(&msg, 0) != 0) + return -1; + vhost_user_get_protocol_features(dev, &msg); send_vhost_reply(fd, &msg); break; case VHOST_USER_SET_PROTOCOL_FEATURES: + if (validate_msg_fds(&msg, 0) != 0) + return -1; + vhost_user_set_protocol_features(dev, msg.payload.u64); break; case VHOST_USER_SET_OWNER: + if (validate_msg_fds(&msg, 0) != 0) + return -1; + vhost_user_set_owner(); break; case VHOST_USER_RESET_OWNER: + if (validate_msg_fds(&msg, 0) != 0) + return -1; + vhost_user_reset_owner(dev); break; case VHOST_USER_SET_MEM_TABLE: + if (validate_msg_fds(&msg, msg.payload.memory.nregions) != 0) + return -1; + ret = vhost_user_set_mem_table(&dev, &msg); break; case VHOST_USER_SET_LOG_BASE: + if (validate_msg_fds(&msg, 1) != 0) + return -1; + vhost_user_set_log_base(dev, &msg); /* @@ -1496,61 +1550,102 @@ vhost_user_msg_handler(int vid, int fd) send_vhost_reply(fd, &msg); break; case VHOST_USER_SET_LOG_FD: + if (validate_msg_fds(&msg, 1) != 0) + return -1; + close(msg.fds[0]); RTE_LOG(INFO, VHOST_CONFIG, "not implemented.\n"); break; case VHOST_USER_SET_VRING_NUM: + if (validate_msg_fds(&msg, 0) != 0) + return -1; + vhost_user_set_vring_num(dev, &msg); break; case VHOST_USER_SET_VRING_ADDR: + if (validate_msg_fds(&msg, 0) != 0) + return -1; + vhost_user_set_vring_addr(&dev, &msg); break; case VHOST_USER_SET_VRING_BASE: + if (validate_msg_fds(&msg, 0) != 0) + return -1; + vhost_user_set_vring_base(dev, &msg); break; case VHOST_USER_GET_VRING_BASE: + if (validate_msg_fds(&msg, 0) != 0) + return -1; + vhost_user_get_vring_base(dev, &msg); msg.size = sizeof(msg.payload.state); send_vhost_reply(fd, &msg); break; case VHOST_USER_SET_VRING_KICK: + if (validate_msg_fds(&msg, 1) != 0) + return -1; + vhost_user_set_vring_kick(&dev, &msg); break; case VHOST_USER_SET_VRING_CALL: + if (validate_msg_fds(&msg, 1) != 0) + return -1; + vhost_user_set_vring_call(dev, &msg); break; case VHOST_USER_SET_VRING_ERR: + if (validate_msg_fds(&msg, 1) != 0) + return -1; + if (!(msg.payload.u64 & VHOST_USER_VRING_NOFD_MASK)) close(msg.fds[0]); RTE_LOG(INFO, VHOST_CONFIG, "not implemented\n"); break; case VHOST_USER_GET_QUEUE_NUM: + if (validate_msg_fds(&msg, 0) != 0) + return -1; msg.payload.u64 = VHOST_MAX_QUEUE_PAIRS; msg.size = sizeof(msg.payload.u64); send_vhost_reply(fd, &msg); break; case VHOST_USER_SET_VRING_ENABLE: + if (validate_msg_fds(&msg, 0) != 0) + return -1; + vhost_user_set_vring_enable(dev, &msg); break; case VHOST_USER_SEND_RARP: + if (validate_msg_fds(&msg, 0) != 0) + return -1; + vhost_user_send_rarp(dev, &msg); break; case VHOST_USER_NET_SET_MTU: + if (validate_msg_fds(&msg, 0) != 0) + return -1; + ret = vhost_user_net_set_mtu(dev, &msg); break; case VHOST_USER_SET_SLAVE_REQ_FD: + if (validate_msg_fds(&msg, 1) != 0) + return -1; + ret = vhost_user_set_req_fd(dev, &msg); break; case VHOST_USER_IOTLB_MSG: + if (validate_msg_fds(&msg, 0) != 0) + return -1; + ret = vhost_user_iotlb_msg(&dev, &msg); break;