[dpdk-dev] [PATCH 2/4] net/mlx5: fix potential buffer overflow
Yongseok Koh
yskoh at mellanox.com
Sat May 12 03:35:43 CEST 2018
Fixes: f0d61f8f8953 ("net/mlx5: add Multi-Packet Rx support")
Signed-off-by: Yongseok Koh <yskoh at mellanox.com>
---
drivers/net/mlx5/mlx5_rxtx.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/drivers/net/mlx5/mlx5_rxtx.c b/drivers/net/mlx5/mlx5_rxtx.c
index 387463792..c887d550f 100644
--- a/drivers/net/mlx5/mlx5_rxtx.c
+++ b/drivers/net/mlx5/mlx5_rxtx.c
@@ -2180,6 +2180,15 @@ mlx5_rx_burst_mprq(void *dpdk_rxq, struct rte_mbuf **pkts, uint16_t pkts_n)
* - Out of buffer in the Mempool for Multi-Packet RQ.
*/
if (len <= rxq->mprq_max_memcpy_len || rxq->mprq_repl == NULL) {
+ /*
+ * When memcpy'ing packet due to out-of-buffer, the
+ * packet must be smaller than the target mbuf.
+ */
+ if (unlikely(rte_pktmbuf_tailroom(pkt) < len)) {
+ rte_pktmbuf_free_seg(pkt);
+ ++rxq->stats.idropped;
+ continue;
+ }
rte_memcpy(rte_pktmbuf_mtod(pkt, void *), addr, len);
} else {
rte_iova_t buf_iova;
@@ -2214,8 +2223,11 @@ mlx5_rx_burst_mprq(void *dpdk_rxq, struct rte_mbuf **pkts, uint16_t pkts_n)
* Prevent potential overflow due to MTU change through
* kernel interface.
*/
- len = RTE_MIN(len, (uint16_t)(pkt->buf_len -
- pkt->data_off));
+ if (unlikely(rte_pktmbuf_tailroom(pkt) < len)) {
+ rte_pktmbuf_free_seg(pkt);
+ ++rxq->stats.idropped;
+ continue;
+ }
}
rxq_cq_to_mbuf(rxq, pkt, cqe, rss_hash_res);
PKT_LEN(pkt) = len;
--
2.11.0
More information about the dev
mailing list