lib/vhost/virtio_net: possible stack overflow in virtio_dev_tx_async_packed()

[Jiang, Cheng1]

Hi Mike,

Thanks for your report.
I agree with you, maybe you can submit the patch to fix it. (by the way, the sync path has the same issue)

Thanks a lot.
Cheng

From: Mike Cui <cuicui at gmail.com>
Sent: Thursday, December 29, 2022 4:38 AM
To: dev at dpdk.org; Jiang, Cheng1 <cheng1.jiang at intel.com>
Subject: lib/vhost/virtio_net: possible stack overflow in virtio_dev_tx_async_packed()

Hi,

I believe there is a possible stack overflow in this code: https://github.com/DPDK/dpdk/blob/main/lib/vhost/virtio_net.c#L3631

Here, pkts_prealloc is declared on the stack with size MAX_PKT_BURST, then filled in by rte_pktmbuf_alloc_bulk() up to 'count' elements, but 'count'  is not capped at MAX_PKT_BURST like in many other code paths.

Suggested patch:


diff --git a/lib/vhost/virtio_net.c b/lib/vhost/virtio_net.c

index 9abf752f30..21f00317c7 100644

--- a/lib/vhost/virtio_net.c

+++ b/lib/vhost/virtio_net.c

@@ -3634,6 +3634,7 @@ virtio_dev_tx_async_packed(struct virtio_net *dev, struct vhost_virtqueue *vq,



              async_iter_reset(async);



+           count = RTE_MIN(count, MAX_PKT_BURST);

              if (rte_pktmbuf_alloc_bulk(mbuf_pool, pkts_prealloc, count))

                              goto out;


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mails.dpdk.org/archives/dev/attachments/20230129/7c10235a/attachment-0001.htm>