lib/vhost/virtio_net: possible stack overflow in virtio_dev_tx_async_packed()
Jiang, Cheng1
cheng1.jiang at intel.com
Sun Jan 29 03:11:46 CET 2023
Hi Mike,
Thanks for your report.
I agree with you, maybe you can submit the patch to fix it. (by the way, the sync path has the same issue)
Thanks a lot.
Cheng
From: Mike Cui <cuicui at gmail.com>
Sent: Thursday, December 29, 2022 4:38 AM
To: dev at dpdk.org; Jiang, Cheng1 <cheng1.jiang at intel.com>
Subject: lib/vhost/virtio_net: possible stack overflow in virtio_dev_tx_async_packed()
Hi,
I believe there is a possible stack overflow in this code: https://github.com/DPDK/dpdk/blob/main/lib/vhost/virtio_net.c#L3631
Here, pkts_prealloc is declared on the stack with size MAX_PKT_BURST, then filled in by rte_pktmbuf_alloc_bulk() up to 'count' elements, but 'count' is not capped at MAX_PKT_BURST like in many other code paths.
Suggested patch:
diff --git a/lib/vhost/virtio_net.c b/lib/vhost/virtio_net.c
index 9abf752f30..21f00317c7 100644
--- a/lib/vhost/virtio_net.c
+++ b/lib/vhost/virtio_net.c
@@ -3634,6 +3634,7 @@ virtio_dev_tx_async_packed(struct virtio_net *dev, struct vhost_virtqueue *vq,
async_iter_reset(async);
+ count = RTE_MIN(count, MAX_PKT_BURST);
if (rte_pktmbuf_alloc_bulk(mbuf_pool, pkts_prealloc, count))
goto out;
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mails.dpdk.org/archives/dev/attachments/20230129/7c10235a/attachment-0001.htm>
More information about the dev
mailing list