[dpdk-dev,v2,09/13] PMD/af_packet: guard against buffer overruns in TX path
Checks
Commit Message
Signed-off-by: Michał Mirosław <michal.miroslaw@atendesoftware.pl>
---
drivers/net/af_packet/rte_eth_af_packet.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
Comments
On Tue, Dec 13, 2016 at 02:28:34AM +0100, Michał Mirosław wrote:
> Signed-off-by: Michał Mirosław <michal.miroslaw@atendesoftware.pl>
Acked-by: John W. Linville <linville@tuxdriver.com>
> ---
> drivers/net/af_packet/rte_eth_af_packet.c | 20 +++++++++++++++-----
> 1 file changed, 15 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/net/af_packet/rte_eth_af_packet.c b/drivers/net/af_packet/rte_eth_af_packet.c
> index 5599e02..fc2dc4a 100644
> --- a/drivers/net/af_packet/rte_eth_af_packet.c
> +++ b/drivers/net/af_packet/rte_eth_af_packet.c
> @@ -83,6 +83,7 @@ struct pkt_rx_queue {
>
> struct pkt_tx_queue {
> int sockfd;
> + unsigned int frame_data_size;
>
> struct iovec *rd;
> uint8_t *map;
> @@ -206,13 +207,20 @@ eth_af_packet_tx(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts)
> framenum = pkt_q->framenum;
> ppd = (struct tpacket2_hdr *) pkt_q->rd[framenum].iov_base;
> for (i = 0; i < nb_pkts; i++) {
> + mbuf = *bufs++;
> +
> + /* drop oversized packets */
> + if (rte_pktmbuf_data_len(mbuf) > pkt_q->frame_data_size) {
> + rte_pktmbuf_free(mbuf);
> + continue;
> + }
> +
> /* point at the next incoming frame */
> if ((ppd->tp_status != TP_STATUS_AVAILABLE) &&
> (poll(&pfd, 1, -1) < 0))
> - continue;
> + break;
>
> /* copy the tx frame data */
> - mbuf = bufs[num_tx];
> pbuf = (uint8_t *) ppd + TPACKET2_HDRLEN -
> sizeof(struct sockaddr_ll);
> memcpy(pbuf, rte_pktmbuf_mtod(mbuf, void*), rte_pktmbuf_data_len(mbuf));
> @@ -231,13 +239,13 @@ eth_af_packet_tx(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts)
>
> /* kick-off transmits */
> if (sendto(pkt_q->sockfd, NULL, 0, MSG_DONTWAIT, NULL, 0) == -1)
> - return 0; /* error sending -- no packets transmitted */
> + num_tx = 0; /* error sending -- no packets transmitted */
>
> pkt_q->framenum = framenum;
> pkt_q->tx_pkts += num_tx;
> - pkt_q->err_pkts += nb_pkts - num_tx;
> + pkt_q->err_pkts += i - num_tx;
> pkt_q->tx_bytes += num_tx_bytes;
> - return num_tx;
> + return i;
> }
>
> static int
> @@ -634,6 +642,8 @@ rte_pmd_init_internals(const char *name,
>
> tx_queue = &((*internals)->tx_queue[q]);
> tx_queue->framecount = req->tp_frame_nr;
> + tx_queue->frame_data_size = req->tp_frame_size;
> + tx_queue->frame_data_size -= TPACKET2_HDRLEN - sizeof(struct sockaddr_ll);
>
> tx_queue->map = rx_queue->map + req->tp_block_size * req->tp_block_nr;
>
> --
> 2.10.2
>
>
On 12/13/2016 4:06 PM, John W. Linville wrote:
> On Tue, Dec 13, 2016 at 02:28:34AM +0100, Michał Mirosław wrote:
>> Signed-off-by: Michał Mirosław <michal.miroslaw@atendesoftware.pl>
>
> Acked-by: John W. Linville <linville@tuxdriver.com>
>
Applied to dpdk-next-net/master, thanks.
@@ -83,6 +83,7 @@ struct pkt_rx_queue {
struct pkt_tx_queue {
int sockfd;
+ unsigned int frame_data_size;
struct iovec *rd;
uint8_t *map;
@@ -206,13 +207,20 @@ eth_af_packet_tx(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts)
framenum = pkt_q->framenum;
ppd = (struct tpacket2_hdr *) pkt_q->rd[framenum].iov_base;
for (i = 0; i < nb_pkts; i++) {
+ mbuf = *bufs++;
+
+ /* drop oversized packets */
+ if (rte_pktmbuf_data_len(mbuf) > pkt_q->frame_data_size) {
+ rte_pktmbuf_free(mbuf);
+ continue;
+ }
+
/* point at the next incoming frame */
if ((ppd->tp_status != TP_STATUS_AVAILABLE) &&
(poll(&pfd, 1, -1) < 0))
- continue;
+ break;
/* copy the tx frame data */
- mbuf = bufs[num_tx];
pbuf = (uint8_t *) ppd + TPACKET2_HDRLEN -
sizeof(struct sockaddr_ll);
memcpy(pbuf, rte_pktmbuf_mtod(mbuf, void*), rte_pktmbuf_data_len(mbuf));
@@ -231,13 +239,13 @@ eth_af_packet_tx(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts)
/* kick-off transmits */
if (sendto(pkt_q->sockfd, NULL, 0, MSG_DONTWAIT, NULL, 0) == -1)
- return 0; /* error sending -- no packets transmitted */
+ num_tx = 0; /* error sending -- no packets transmitted */
pkt_q->framenum = framenum;
pkt_q->tx_pkts += num_tx;
- pkt_q->err_pkts += nb_pkts - num_tx;
+ pkt_q->err_pkts += i - num_tx;
pkt_q->tx_bytes += num_tx_bytes;
- return num_tx;
+ return i;
}
static int
@@ -634,6 +642,8 @@ rte_pmd_init_internals(const char *name,
tx_queue = &((*internals)->tx_queue[q]);
tx_queue->framecount = req->tp_frame_nr;
+ tx_queue->frame_data_size = req->tp_frame_size;
+ tx_queue->frame_data_size -= TPACKET2_HDRLEN - sizeof(struct sockaddr_ll);
tx_queue->map = rx_queue->map + req->tp_block_size * req->tp_block_nr;