[dpdk-dev] [PATCH 2/4] net/mlx5: fix potential buffer overflow

Yongseok Koh yskoh at mellanox.com
Sat May 12 03:35:43 CEST 2018


Fixes: f0d61f8f8953 ("net/mlx5: add Multi-Packet Rx support")

Signed-off-by: Yongseok Koh <yskoh at mellanox.com>
---
 drivers/net/mlx5/mlx5_rxtx.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/drivers/net/mlx5/mlx5_rxtx.c b/drivers/net/mlx5/mlx5_rxtx.c
index 387463792..c887d550f 100644
--- a/drivers/net/mlx5/mlx5_rxtx.c
+++ b/drivers/net/mlx5/mlx5_rxtx.c
@@ -2180,6 +2180,15 @@ mlx5_rx_burst_mprq(void *dpdk_rxq, struct rte_mbuf **pkts, uint16_t pkts_n)
 		 * - Out of buffer in the Mempool for Multi-Packet RQ.
 		 */
 		if (len <= rxq->mprq_max_memcpy_len || rxq->mprq_repl == NULL) {
+			/*
+			 * When memcpy'ing packet due to out-of-buffer, the
+			 * packet must be smaller than the target mbuf.
+			 */
+			if (unlikely(rte_pktmbuf_tailroom(pkt) < len)) {
+				rte_pktmbuf_free_seg(pkt);
+				++rxq->stats.idropped;
+				continue;
+			}
 			rte_memcpy(rte_pktmbuf_mtod(pkt, void *), addr, len);
 		} else {
 			rte_iova_t buf_iova;
@@ -2214,8 +2223,11 @@ mlx5_rx_burst_mprq(void *dpdk_rxq, struct rte_mbuf **pkts, uint16_t pkts_n)
 			 * Prevent potential overflow due to MTU change through
 			 * kernel interface.
 			 */
-			len = RTE_MIN(len, (uint16_t)(pkt->buf_len -
-						      pkt->data_off));
+			if (unlikely(rte_pktmbuf_tailroom(pkt) < len)) {
+				rte_pktmbuf_free_seg(pkt);
+				++rxq->stats.idropped;
+				continue;
+			}
 		}
 		rxq_cq_to_mbuf(rxq, pkt, cqe, rss_hash_res);
 		PKT_LEN(pkt) = len;
-- 
2.11.0



More information about the dev mailing list