From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: <dev-bounces@dpdk.org> Received: from dpdk.org (dpdk.org [92.243.14.124]) by dpdk.space (Postfix) with ESMTP id C4DDCA0679 for <public@inbox.dpdk.org>; Mon, 29 Apr 2019 16:02:27 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id F09541B11A; Mon, 29 Apr 2019 16:02:25 +0200 (CEST) Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by dpdk.org (Postfix) with ESMTP id D0A971B112; Mon, 29 Apr 2019 16:02:23 +0200 (CEST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 29 Apr 2019 07:02:23 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.60,409,1549958400"; d="scan'208";a="168958228" Received: from aburakov-mobl1.ger.corp.intel.com (HELO [10.237.220.113]) ([10.237.220.113]) by fmsmga001.fm.intel.com with ESMTP; 29 Apr 2019 07:02:21 -0700 To: Ferruh Yigit <ferruh.yigit@intel.com>, Herakliusz Lipiec <herakliusz.lipiec@intel.com>, Keith Wiles <keith.wiles@intel.com> Cc: dev@dpdk.org, rasland@mellanox.com, stable@dpdk.org References: <20190425164700.30948-1-herakliusz.lipiec@intel.com> <20190425171702.933-1-herakliusz.lipiec@intel.com> <e48cc6b9-b87c-063f-da09-88b976842a41@intel.com> From: "Burakov, Anatoly" <anatoly.burakov@intel.com> Message-ID: <f9501450-62a5-ffa2-c995-af39dce1f516@intel.com> Date: Mon, 29 Apr 2019 15:02:20 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: <e48cc6b9-b87c-063f-da09-88b976842a41@intel.com> Content-Type: text/plain; charset="UTF-8"; format="flowed" Content-Language: en-US Content-Transfer-Encoding: 7bit Subject: Re: [dpdk-dev] [PATCH v2] net/tap: fix potential buffer overrun X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions <dev.dpdk.org> List-Unsubscribe: <https://mails.dpdk.org/options/dev>, <mailto:dev-request@dpdk.org?subject=unsubscribe> List-Archive: <http://mails.dpdk.org/archives/dev/> List-Post: <mailto:dev@dpdk.org> List-Help: <mailto:dev-request@dpdk.org?subject=help> List-Subscribe: <https://mails.dpdk.org/listinfo/dev>, <mailto:dev-request@dpdk.org?subject=subscribe> Errors-To: dev-bounces@dpdk.org Sender: "dev" <dev-bounces@dpdk.org> Message-ID: <20190429140220.ZtI5WNC_AHkw4GF7KLl7IDgVbDcWoO9BjqAe31U5N_w@z> On 29-Apr-19 2:53 PM, Ferruh Yigit wrote: > On 4/25/2019 6:17 PM, Herakliusz Lipiec wrote: >> When secondary to primary process synchronization occours >> there is no check for number of fds which could cause buffer overrun. >> >> Bugzilla ID: 252 >> Fixes: c9aa56edec8e ("net/tap: access primary process queues from secondary") >> Cc: rasland@mellanox.com >> Cc: stable@dpdk.org >> >> Signed-off-by: Herakliusz Lipiec <herakliusz.lipiec@intel.com> >> --- >> drivers/net/tap/rte_eth_tap.c | 13 +++++++++++-- >> 1 file changed, 11 insertions(+), 2 deletions(-) >> >> diff --git a/drivers/net/tap/rte_eth_tap.c b/drivers/net/tap/rte_eth_tap.c >> index e9fda8cf6..4a2ef5ce7 100644 >> --- a/drivers/net/tap/rte_eth_tap.c >> +++ b/drivers/net/tap/rte_eth_tap.c >> @@ -2111,6 +2111,10 @@ tap_mp_attach_queues(const char *port_name, struct rte_eth_dev *dev) >> TAP_LOG(DEBUG, "Received IPC reply for %s", reply_param->port_name); >> >> /* Attach the queues from received file descriptors */ >> + if (reply_param->rxq_count + reply_param->txq_count != reply->num_fds) { >> + TAP_LOG(ERR, "Unexpected number of fds received"); >> + return -1; >> + } > > Is there a way this can happen? If not I suggest remove the check. Normally no, but theoretically this can trigger a buffer overrun if not checked. After all, something could either fail on the other side, or someone could send a fake message :) This data is coming from an external source, so we need to sanity-check it. > >> dev->data->nb_rx_queues = reply_param->rxq_count; >> dev->data->nb_tx_queues = reply_param->txq_count; >> fd_iterator = 0; >> @@ -2151,12 +2155,16 @@ tap_mp_sync_queues(const struct rte_mp_msg *request, const void *peer) >> /* Fill file descriptors for all queues */ >> reply.num_fds = 0; >> reply_param->rxq_count = 0; >> + if (dev->data->nb_rx_queues + dev->data->nb_tx_queues > >> + RTE_MP_MAX_FD_NUM){ >> + TAP_LOG(ERR, "Number of rx/tx queues exceeds max number of fds"); >> + return -1; >> + } > > +1 for the check. > But what it does when return "-1", not send a message at all? If so would it be > better to send and error message back instead of waiting the receiver to timeout? There will be a different patch fixing this specific issue. Probably this patch would need to be rebased on top of that. > >> for (queue = 0; queue < dev->data->nb_rx_queues; queue++) { >> reply.fds[reply.num_fds++] = process_private->rxq_fds[queue]; >> reply_param->rxq_count++; >> } >> RTE_ASSERT(reply_param->rxq_count == dev->data->nb_rx_queues); >> - RTE_ASSERT(reply_param->txq_count == dev->data->nb_tx_queues); >> RTE_ASSERT(reply.num_fds <= RTE_MP_MAX_FD_NUM); > > Since there is dynamic check above for "RTE_MP_MAX_FD_NUM", we can remove this > assert I think. > >> >> reply_param->txq_count = 0; >> @@ -2164,7 +2172,8 @@ tap_mp_sync_queues(const struct rte_mp_msg *request, const void *peer) >> reply.fds[reply.num_fds++] = process_private->txq_fds[queue]; >> reply_param->txq_count++; >> } >> - >> + RTE_ASSERT(reply_param->txq_count == dev->data->nb_tx_queues); >> + RTE_ASSERT(reply.num_fds <= RTE_MP_MAX_FD_NUM); > > Same for this assert, we can remove it. > And as syntax, please keep the empty line before next block. > >> /* Send reply */ >> strlcpy(reply.name, request->name, sizeof(reply.name)); >> strlcpy(reply_param->port_name, request_param->port_name, >> > > -- Thanks, Anatoly