From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ilya Maximets <i.maximets@samsung.com>
Subject: [PATCH] net/i40e: fix out-of-bounds writes during vector
	Rx
Date: Thu, 21 Jul 2016 14:03:38 +0300
Message-ID: <1469099018-31402-1-git-send-email-i.maximets@samsung.com>
Cc: Zhe Tao <zhe.tao@intel.com>, Heetae Ahn <heetae82.ahn@samsung.com>,
 Thomas Monjalon <thomas.monjalon@6wind.com>,
 Ilya Maximets <i.maximets@samsung.com>, Sergey Dyasly <s.dyasly@samsung.com>
To: dev@dpdk.org, Helin Zhang <helin.zhang@intel.com>,
 Jingjing Wu <jingjing.wu@intel.com>
Return-path: <dev-bounces@dpdk.org>
Received: from mailout2.w1.samsung.com (mailout2.w1.samsung.com
 [210.118.77.12]) by dpdk.org (Postfix) with ESMTP id 28C7B5320
 for <dev@dpdk.org>; Thu, 21 Jul 2016 13:03:48 +0200 (CEST)
Received: from eucpsbgm2.samsung.com (unknown [203.254.199.245])
 by mailout2.w1.samsung.com
 (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built May 5 2014))
 with ESMTP id <0OAN00GXXW2AMH70@mailout2.w1.samsung.com> for dev@dpdk.org;
 Thu, 21 Jul 2016 12:03:46 +0100 (BST)
List-Id: patches and discussions about DPDK <dev.dpdk.org>
List-Unsubscribe: <http://dpdk.org/ml/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <http://dpdk.org/ml/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

From: Sergey Dyasly <s.dyasly@samsung.com>

Rx loop inside _recv_raw_pkts_vec() ignores nb_pkts argument and always
tries to receive RTE_I40E_VPMD_RX_BURST (32) packets. This is a violation
of rte_eth_rx_burst() API and can lead to memory corruption (out-of-bounds
writes to struct rte_mbuf **rx_pkts) if nb_pkts is less than 32.

Fix this by actually using nb_pkts inside the loop.

Fixes: 9ed94e5bb04e ("i40e: add vector Rx")

Signed-off-by: Sergey Dyasly <s.dyasly@samsung.com>
Acked-by: Ilya Maximets <i.maximets@samsung.com>
---
 drivers/net/i40e/i40e_rxtx_vec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/i40e/i40e_rxtx_vec.c b/drivers/net/i40e/i40e_rxtx_vec.c
index 05cb415..51fb282 100644
--- a/drivers/net/i40e/i40e_rxtx_vec.c
+++ b/drivers/net/i40e/i40e_rxtx_vec.c
@@ -269,7 +269,7 @@ _recv_raw_pkts_vec(struct i40e_rx_queue *rxq, struct rte_mbuf **rx_pkts,
 	 * D. fill info. from desc to mbuf
 	 */
 
-	for (pos = 0, nb_pkts_recd = 0; pos < RTE_I40E_VPMD_RX_BURST;
+	for (pos = 0, nb_pkts_recd = 0; pos < nb_pkts;
 			pos += RTE_I40E_DESCS_PER_LOOP,
 			rxdp += RTE_I40E_DESCS_PER_LOOP) {
 		__m128i descs[RTE_I40E_DESCS_PER_LOOP];
-- 
2.7.4