[dpdk-dev] [PATCH] vhost: avoid buffer overflow in update_secure_len

Rich Lane rich.lane at bigswitch.com
Thu Nov 12 09:02:33 CET 2015

Previous message: [dpdk-dev] [PATCH] i40e: fix the issue of trying more VSIs for VMDq than available
Next message: [dpdk-dev] [PATCH] vhost: avoid buffer overflow in update_secure_len
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The guest could trigger this buffer overflow by creating a cycle of descriptors
(which would also cause an infinite loop). The more common case is that
vq->avail->idx jumps out of the range [last_used_idx, last_used_idx+256). This
happens nearly every time when restarting a DPDK app inside a VM connected to a
vhost-user vswitch because the virtqueue memory allocated by the previous run
is zeroed.

Signed-off-by: Rich Lane <rlane at bigswitch.com>
---
 lib/librte_vhost/vhost_rxtx.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/librte_vhost/vhost_rxtx.c b/lib/librte_vhost/vhost_rxtx.c
index 9322ce6..d95b478 100644
--- a/lib/librte_vhost/vhost_rxtx.c
+++ b/lib/librte_vhost/vhost_rxtx.c
@@ -453,7 +453,7 @@ update_secure_len(struct vhost_virtqueue *vq, uint32_t id,
 		vq->buf_vec[vec_id].desc_idx = idx;
 		vec_id++;
 
-		if (vq->desc[idx].flags & VRING_DESC_F_NEXT) {
+		if (vq->desc[idx].flags & VRING_DESC_F_NEXT && vec_id < BUF_VECTOR_MAX) {
 			idx = vq->desc[idx].next;
 			next_desc = 1;
 		}
-- 
1.9.1

Previous message: [dpdk-dev] [PATCH] i40e: fix the issue of trying more VSIs for VMDq than available
Next message: [dpdk-dev] [PATCH] vhost: avoid buffer overflow in update_secure_len
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the dev mailing list