From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by dpdk.space (Postfix) with ESMTP id C4DDCA0679 for ; Mon, 29 Apr 2019 16:02:27 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id F09541B11A; Mon, 29 Apr 2019 16:02:25 +0200 (CEST) Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by dpdk.org (Postfix) with ESMTP id D0A971B112; Mon, 29 Apr 2019 16:02:23 +0200 (CEST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 29 Apr 2019 07:02:23 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.60,409,1549958400"; d="scan'208";a="168958228" Received: from aburakov-mobl1.ger.corp.intel.com (HELO [10.237.220.113]) ([10.237.220.113]) by fmsmga001.fm.intel.com with ESMTP; 29 Apr 2019 07:02:21 -0700 To: Ferruh Yigit , Herakliusz Lipiec , Keith Wiles Cc: dev@dpdk.org, rasland@mellanox.com, stable@dpdk.org References: <20190425164700.30948-1-herakliusz.lipiec@intel.com> <20190425171702.933-1-herakliusz.lipiec@intel.com> From: "Burakov, Anatoly" Message-ID: Date: Mon, 29 Apr 2019 15:02:20 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset="UTF-8"; format="flowed" Content-Language: en-US Content-Transfer-Encoding: 7bit Subject: Re: [dpdk-dev] [PATCH v2] net/tap: fix potential buffer overrun X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Message-ID: <20190429140220.ZtI5WNC_AHkw4GF7KLl7IDgVbDcWoO9BjqAe31U5N_w@z> On 29-Apr-19 2:53 PM, Ferruh Yigit wrote: > On 4/25/2019 6:17 PM, Herakliusz Lipiec wrote: >> When secondary to primary process synchronization occours >> there is no check for number of fds which could cause buffer overrun. >> >> Bugzilla ID: 252 >> Fixes: c9aa56edec8e ("net/tap: access primary process queues from secondary") >> Cc: rasland@mellanox.com >> Cc: stable@dpdk.org >> >> Signed-off-by: Herakliusz Lipiec >> --- >> drivers/net/tap/rte_eth_tap.c | 13 +++++++++++-- >> 1 file changed, 11 insertions(+), 2 deletions(-) >> >> diff --git a/drivers/net/tap/rte_eth_tap.c b/drivers/net/tap/rte_eth_tap.c >> index e9fda8cf6..4a2ef5ce7 100644 >> --- a/drivers/net/tap/rte_eth_tap.c >> +++ b/drivers/net/tap/rte_eth_tap.c >> @@ -2111,6 +2111,10 @@ tap_mp_attach_queues(const char *port_name, struct rte_eth_dev *dev) >> TAP_LOG(DEBUG, "Received IPC reply for %s", reply_param->port_name); >> >> /* Attach the queues from received file descriptors */ >> + if (reply_param->rxq_count + reply_param->txq_count != reply->num_fds) { >> + TAP_LOG(ERR, "Unexpected number of fds received"); >> + return -1; >> + } > > Is there a way this can happen? If not I suggest remove the check. Normally no, but theoretically this can trigger a buffer overrun if not checked. After all, something could either fail on the other side, or someone could send a fake message :) This data is coming from an external source, so we need to sanity-check it. > >> dev->data->nb_rx_queues = reply_param->rxq_count; >> dev->data->nb_tx_queues = reply_param->txq_count; >> fd_iterator = 0; >> @@ -2151,12 +2155,16 @@ tap_mp_sync_queues(const struct rte_mp_msg *request, const void *peer) >> /* Fill file descriptors for all queues */ >> reply.num_fds = 0; >> reply_param->rxq_count = 0; >> + if (dev->data->nb_rx_queues + dev->data->nb_tx_queues > >> + RTE_MP_MAX_FD_NUM){ >> + TAP_LOG(ERR, "Number of rx/tx queues exceeds max number of fds"); >> + return -1; >> + } > > +1 for the check. > But what it does when return "-1", not send a message at all? If so would it be > better to send and error message back instead of waiting the receiver to timeout? There will be a different patch fixing this specific issue. Probably this patch would need to be rebased on top of that. > >> for (queue = 0; queue < dev->data->nb_rx_queues; queue++) { >> reply.fds[reply.num_fds++] = process_private->rxq_fds[queue]; >> reply_param->rxq_count++; >> } >> RTE_ASSERT(reply_param->rxq_count == dev->data->nb_rx_queues); >> - RTE_ASSERT(reply_param->txq_count == dev->data->nb_tx_queues); >> RTE_ASSERT(reply.num_fds <= RTE_MP_MAX_FD_NUM); > > Since there is dynamic check above for "RTE_MP_MAX_FD_NUM", we can remove this > assert I think. > >> >> reply_param->txq_count = 0; >> @@ -2164,7 +2172,8 @@ tap_mp_sync_queues(const struct rte_mp_msg *request, const void *peer) >> reply.fds[reply.num_fds++] = process_private->txq_fds[queue]; >> reply_param->txq_count++; >> } >> - >> + RTE_ASSERT(reply_param->txq_count == dev->data->nb_tx_queues); >> + RTE_ASSERT(reply.num_fds <= RTE_MP_MAX_FD_NUM); > > Same for this assert, we can remove it. > And as syntax, please keep the empty line before next block. > >> /* Send reply */ >> strlcpy(reply.name, request->name, sizeof(reply.name)); >> strlcpy(reply_param->port_name, request_param->port_name, >> > > -- Thanks, Anatoly