diff mbox series

[3/3] vhost: fix potential buffer overflow when batch dequeue

Message ID 20210331064939.56107-3-yong.liu@intel.com (mailing list archive)
State Accepted
Delegated to: Maxime Coquelin
Headers show
Series [1/3] vhost: fix split ring potential buffer overflow | expand


Context Check Description
ci/iol-testing success Testing PASS
ci/iol-mellanox-Performance success Performance Testing PASS
ci/iol-abi-testing success Testing PASS
ci/iol-intel-Performance success Performance Testing PASS
ci/github-robot success github build: passed
ci/travis-robot success travis build: passed
ci/intel-Testing success Testing PASS
ci/Intel-compilation success Compilation OK
ci/checkpatch success coding style OK

Commit Message

Marvin Liu March 31, 2021, 6:49 a.m. UTC
Similar as single dequeue, the multiple accesses of descriptor length
will lead to potential risk. One-time access of descriptor length can
eliminate this risk.

Fixes: 75ed51697820 ("vhost: add packed ring batch dequeue")
Cc: stable@dpdk.org

Signed-off-by: Marvin Liu <yong.liu@intel.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
diff mbox series


diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c
index de43686522..0a7d008a91 100644
--- a/lib/librte_vhost/virtio_net.c
+++ b/lib/librte_vhost/virtio_net.c
@@ -2318,7 +2318,7 @@  vhost_reserve_avail_batch_packed(struct virtio_net *dev,
 	vhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) {
-		pkts[i]->pkt_len = descs[avail_idx + i].len - buf_offset;
+		pkts[i]->pkt_len = lens[i] - buf_offset;
 		pkts[i]->data_len = pkts[i]->pkt_len;
 		ids[i] = descs[avail_idx + i].id;