From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.7 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D73F9C47079 for ; Thu, 30 Apr 2020 13:37:58 +0000 (UTC) Received: from dpdk.org (dpdk.org [92.243.14.124]) by mail.kernel.org (Postfix) with ESMTP id 9BA1C2074A for ; Thu, 30 Apr 2020 13:37:58 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 9BA1C2074A Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=baidu.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=dev-bounces@dpdk.org Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id D586F1DBBF; Thu, 30 Apr 2020 15:37:57 +0200 (CEST) Received: from tc-sys-mailedm03.tc.baidu.com (mx134-tc.baidu.com [61.135.168.134]) by dpdk.org (Postfix) with ESMTP id 3BDD01DBB6 for ; Thu, 30 Apr 2020 15:37:55 +0200 (CEST) Received: from localhost (cp01-cos-dev01.cp01.baidu.com [10.92.119.46]) by tc-sys-mailedm03.tc.baidu.com (Postfix) with ESMTP id 5D9984500031; Thu, 30 Apr 2020 21:37:52 +0800 (CST) From: Yuan Linsi To: ajit.khaparde@broadcom.com, somnath.kotur@broadcom.com, lance.richardson@broadcom.com Cc: dev@dpdk.org Date: Thu, 30 Apr 2020 21:37:52 +0800 Message-Id: <1588253872-19024-1-git-send-email-yuanlinsi01@baidu.com> X-Mailer: git-send-email 1.7.1 Subject: [dpdk-dev] [PATCH] net/bnxt: fix a possible stack smashing X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" From: yuanlinsi01 We see a stack smashing as a result of defensive code missing. Once the nb_pkts is less than RTE_BNXT_DESCS_PER_LOOP, it will be modified to zero after doing a floor align, and we can not exit the following receiving packets loop. And the buffers will be overwrite, then the stack frame was ruined. Fix the problem by adding defensive code, once the nb_pkts is zero, just directly return with no packets. Fixes: bc4a000f2 ("net/bnxt: implement SSE vector mode") Cc: stable@dpdk.org Signed-off-by: yuanlinsi01 Signed-off-by: rongdongsheng --- drivers/net/bnxt/bnxt_rxtx_vec_sse.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/net/bnxt/bnxt_rxtx_vec_sse.c b/drivers/net/bnxt/bnxt_rxtx_vec_sse.c index d0e7910e7..8f73add9b 100644 --- a/drivers/net/bnxt/bnxt_rxtx_vec_sse.c +++ b/drivers/net/bnxt/bnxt_rxtx_vec_sse.c @@ -233,8 +233,13 @@ bnxt_recv_pkts_vec(void *rx_queue, struct rte_mbuf **rx_pkts, /* Return no more than RTE_BNXT_MAX_RX_BURST per call. */ nb_pkts = RTE_MIN(nb_pkts, RTE_BNXT_MAX_RX_BURST); - /* Make nb_pkts an integer multiple of RTE_BNXT_DESCS_PER_LOOP */ + /* + * Make nb_pkts an integer multiple of RTE_BNXT_DESCS_PER_LOOP. + * nb_pkts < RTE_BNXT_DESCS_PER_LOOP, just return no packet + */ nb_pkts = RTE_ALIGN_FLOOR(nb_pkts, RTE_BNXT_DESCS_PER_LOOP); + if (!nb_pkts) + return 0; /* Handle RX burst request */ while (1) { -- 2.11.0