* lib/vhost/virtio_net: possible stack overflow in virtio_dev_tx_async_packed()
@ 2022-12-28 20:37 Mike Cui
2023-01-29 2:11 ` Jiang, Cheng1
0 siblings, 1 reply; 2+ messages in thread
From: Mike Cui @ 2022-12-28 20:37 UTC (permalink / raw)
To: dev, cheng1.jiang
[-- Attachment #1: Type: text/plain, Size: 774 bytes --]
Hi,
I believe there is a possible stack overflow in this code:
https://github.com/DPDK/dpdk/blob/main/lib/vhost/virtio_net.c#L3631
Here, pkts_prealloc is declared on the stack with size MAX_PKT_BURST, then
filled in by rte_pktmbuf_alloc_bulk() up to 'count' elements, but 'count'
is not capped at MAX_PKT_BURST like in many other code paths.
Suggested patch:
diff --git a/lib/vhost/virtio_net.c b/lib/vhost/virtio_net.c
index 9abf752f30..21f00317c7 100644
--- a/lib/vhost/virtio_net.c
+++ b/lib/vhost/virtio_net.c
@@ -3634,6 +3634,7 @@ virtio_dev_tx_async_packed(struct virtio_net *dev,
struct vhost_virtqueue *vq,
async_iter_reset(async);
+ count = RTE_MIN(count, MAX_PKT_BURST);
if (rte_pktmbuf_alloc_bulk(mbuf_pool, pkts_prealloc, count))
goto out;
[-- Attachment #2: Type: text/html, Size: 4947 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* RE: lib/vhost/virtio_net: possible stack overflow in virtio_dev_tx_async_packed()
2022-12-28 20:37 lib/vhost/virtio_net: possible stack overflow in virtio_dev_tx_async_packed() Mike Cui
@ 2023-01-29 2:11 ` Jiang, Cheng1
0 siblings, 0 replies; 2+ messages in thread
From: Jiang, Cheng1 @ 2023-01-29 2:11 UTC (permalink / raw)
To: Mike Cui, dev
[-- Attachment #1: Type: text/plain, Size: 1269 bytes --]
Hi Mike,
Thanks for your report.
I agree with you, maybe you can submit the patch to fix it. (by the way, the sync path has the same issue)
Thanks a lot.
Cheng
From: Mike Cui <cuicui@gmail.com>
Sent: Thursday, December 29, 2022 4:38 AM
To: dev@dpdk.org; Jiang, Cheng1 <cheng1.jiang@intel.com>
Subject: lib/vhost/virtio_net: possible stack overflow in virtio_dev_tx_async_packed()
Hi,
I believe there is a possible stack overflow in this code: https://github.com/DPDK/dpdk/blob/main/lib/vhost/virtio_net.c#L3631
Here, pkts_prealloc is declared on the stack with size MAX_PKT_BURST, then filled in by rte_pktmbuf_alloc_bulk() up to 'count' elements, but 'count' is not capped at MAX_PKT_BURST like in many other code paths.
Suggested patch:
diff --git a/lib/vhost/virtio_net.c b/lib/vhost/virtio_net.c
index 9abf752f30..21f00317c7 100644
--- a/lib/vhost/virtio_net.c
+++ b/lib/vhost/virtio_net.c
@@ -3634,6 +3634,7 @@ virtio_dev_tx_async_packed(struct virtio_net *dev, struct vhost_virtqueue *vq,
async_iter_reset(async);
+ count = RTE_MIN(count, MAX_PKT_BURST);
if (rte_pktmbuf_alloc_bulk(mbuf_pool, pkts_prealloc, count))
goto out;
[-- Attachment #2: Type: text/html, Size: 10227 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-01-29 2:11 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-12-28 20:37 lib/vhost/virtio_net: possible stack overflow in virtio_dev_tx_async_packed() Mike Cui
2023-01-29 2:11 ` Jiang, Cheng1
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.