From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <yuanhan.liu@linux.intel.com>
Received: from mga14.intel.com (mga14.intel.com [192.55.52.115])
 by dpdk.org (Postfix) with ESMTP id 177265A35
 for <dev@dpdk.org>; Wed, 18 Nov 2015 06:31:55 +0100 (CET)
Received: from fmsmga002.fm.intel.com ([10.253.24.26])
 by fmsmga103.fm.intel.com with ESMTP; 17 Nov 2015 21:31:55 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.20,311,1444719600"; d="scan'208";a="853551063"
Received: from yliu-dev.sh.intel.com (HELO yliu-dev) ([10.239.66.49])
 by fmsmga002.fm.intel.com with ESMTP; 17 Nov 2015 21:31:54 -0800
Date: Wed, 18 Nov 2015 13:32:51 +0800
From: Yuanhan Liu <yuanhan.liu@linux.intel.com>
To: Rich Lane <rich.lane@bigswitch.com>
Message-ID: <20151118053251.GY2326@yliu-dev.sh.intel.com>
References: <1447315353-42152-1-git-send-email-rlane@bigswitch.com>
 <20151112092305.GI2326@yliu-dev.sh.intel.com>
 <CAGSMBPOLNsc-+_Zj7FgBhmD0kpUAoy3fu5urxN74YTfmE20Qzw@mail.gmail.com>
 <20151117132349.GT2326@yliu-dev.sh.intel.com>
 <CAGSMBPPrustS5-2BdGmkKFUTQBnHcb6NRJ43TYuL2zRVAWkWqw@mail.gmail.com>
 <20151118025655.GW2326@yliu-dev.sh.intel.com>
 <CAGSMBPNfKZidDsGpsmYCzW+38uUxwJRn4TB6s-spWt62T0ASag@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAGSMBPNfKZidDsGpsmYCzW+38uUxwJRn4TB6s-spWt62T0ASag@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: dev@dpdk.org
Subject: Re: [dpdk-dev] [PATCH] vhost: avoid buffer overflow in
	update_secure_len
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: patches and discussions about DPDK <dev.dpdk.org>
List-Unsubscribe: <http://dpdk.org/ml/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <http://dpdk.org/ml/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Nov 2015 05:31:56 -0000

On Tue, Nov 17, 2015 at 09:26:57PM -0800, Rich Lane wrote:
> On Tue, Nov 17, 2015 at 6:56 PM, Yuanhan Liu <yuanhan.liu@linux.intel.com>
> wrote:
> 
>     @@ -519,6 +526,8 @@ virtio_dev_merge_rx(struct virtio_net *dev, uint16_t
>     queue_id,
>                                             goto merge_rx_exit;
>                                     } else {
>                                             update_secure_len(vq, res_cur_idx,
>     &secure_len, &vec_idx);
>     +                                       if (secure_len == 0)
>     +                                               goto merge_rx_exit;
>                                             res_cur_idx++;
>                                     }
>                             } while (pkt_len > secure_len);
> 
> 
> I think this needs to check whether secure_len was modified. secure_len is
> read-write and could have a nonzero value going into the call. It could be
> cleaner to give update_secure_len a return value saying whether it was able to
> reserve any buffers.

Good suggestion.

	--yliu
> 
> Otherwise looks good, thanks!