From patchwork Mon Jan 21 08:12:18 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tiwei Bie X-Patchwork-Id: 49975 X-Patchwork-Delegate: maxime.coquelin@redhat.com Return-Path: X-Original-To: patchwork@dpdk.org Delivered-To: patchwork@dpdk.org Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id C94DD4CC5; Mon, 21 Jan 2019 09:15:30 +0100 (CET) Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by dpdk.org (Postfix) with ESMTP id C3E193977; Mon, 21 Jan 2019 09:15:28 +0100 (CET) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga002.jf.intel.com ([10.7.209.21]) by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 21 Jan 2019 00:15:27 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.56,502,1539673200"; d="scan'208";a="127608605" Received: from unknown (HELO dpdk-tbie.sh.intel.com) ([10.67.104.173]) by orsmga002.jf.intel.com with ESMTP; 21 Jan 2019 00:15:23 -0800 From: Tiwei Bie To: maxime.coquelin@redhat.com, zhihong.wang@intel.com, dev@dpdk.org Cc: haiyue.wang@intel.com, stable@dpdk.org Date: Mon, 21 Jan 2019 16:12:18 +0800 Message-Id: <20190121081218.16343-1-tiwei.bie@intel.com> X-Mailer: git-send-email 2.17.1 Subject: [dpdk-dev] [PATCH] vhost: fix possible out of bound access for indirect descs X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Fix a possible out of bound access which may happen when handling indirect descs in split ring. Fixes: 1be4ebb1c464 ("vhost: support indirect descriptor in mergeable Rx") Cc: stable@dpdk.org Reported-by: Haiyue Wang Signed-off-by: Tiwei Bie Reviewed-by: Maxime Coquelin --- lib/librte_vhost/virtio_net.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c index 0893a1d04..37a4c00d2 100644 --- a/lib/librte_vhost/virtio_net.c +++ b/lib/librte_vhost/virtio_net.c @@ -310,6 +310,7 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq, uint32_t len = 0; uint64_t dlen; uint32_t nr_descs = vq->size; + uint32_t cnt = 0; struct vring_desc *descs = vq->desc; struct vring_desc *idesc = NULL; @@ -348,12 +349,7 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq, } while (1) { - if (unlikely(idx >= vq->size)) { - free_ind_table(idesc); - return -1; - } - - if (unlikely(nr_descs-- == 0)) { + if (unlikely(idx >= nr_descs || cnt++ >= nr_descs)) { free_ind_table(idesc); return -1; }