From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id A1EC6A0032;
	Mon, 18 Jul 2022 15:08:49 +0200 (CEST)
Received: from [217.70.189.124] (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id 969E240DF6;
	Mon, 18 Jul 2022 15:08:49 +0200 (CEST)
Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188])
 by mails.dpdk.org (Postfix) with ESMTP id 6C1C94069F;
 Mon, 18 Jul 2022 15:08:48 +0200 (CEST)
Received: from dggpemm500021.china.huawei.com (unknown [172.30.72.53])
 by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4Lmj023Y1QzkX3V;
 Mon, 18 Jul 2022 21:06:26 +0800 (CST)
Received: from dggpemm500008.china.huawei.com (7.185.36.136) by
 dggpemm500021.china.huawei.com (7.185.36.109) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2375.24; Mon, 18 Jul 2022 21:08:46 +0800
Received: from localhost (10.174.242.157) by dggpemm500008.china.huawei.com
 (7.185.36.136) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Mon, 18 Jul
 2022 21:08:45 +0800
From: Yunjian Wang <wangyunjian@huawei.com>
To: <dev@dpdk.org>
CC: <chas3@att.com>, <humin29@huawei.com>, <huangshaozhang@huawei.com>,
 <jilei8@huawei.com>, Yunjian Wang <wangyunjian@huawei.com>, <stable@dpdk.org>
Subject: [dpdk-dev] [PATCH] net/bonding: fix array overflow in Rx burst
Date: Mon, 18 Jul 2022 21:08:44 +0800
Message-ID: <23483205275b4639324b82c1607cd867327bf783.1658146483.git.wangyunjian@huawei.com>
X-Mailer: git-send-email 1.9.5.msysgit.1
In-Reply-To: <20210810064323.4161835-1-jilei8@huawei.com>
References: <20210810064323.4161835-1-jilei8@huawei.com>
MIME-Version: 1.0
Content-Type: text/plain
X-Originating-IP: [10.174.242.157]
X-ClientProxiedBy: dggems704-chm.china.huawei.com (10.3.19.181) To
 dggpemm500008.china.huawei.com (7.185.36.136)
X-CFilter-Loop: Reflected
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org

In bond_ethdev_rx_burst() function, we check the validity of the
'active_slave' as this code:
if (++active_slave == slave_count)
	active_slave = 0;
However, the value of 'active_slave' maybe equal to 'slave_count',
when a slave is down. This is wrong and it can cause buffer overflow.
This patch fixes the issue by using '>=' instead of '=='.

Fixes: e1110e977648 ("net/bonding: fix Rx slave fairness")
Cc: stable@dpdk.org

Signed-off-by: Lei Ji <jilei8@huawei.com>
Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
---
 drivers/net/bonding/rte_eth_bond_pmd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/bonding/rte_eth_bond_pmd.c b/drivers/net/bonding/rte_eth_bond_pmd.c
index 73e6972035..6f8a6da108 100644
--- a/drivers/net/bonding/rte_eth_bond_pmd.c
+++ b/drivers/net/bonding/rte_eth_bond_pmd.c
@@ -82,7 +82,7 @@ bond_ethdev_rx_burst(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts)
 					 bufs + num_rx_total, nb_pkts);
 		num_rx_total += num_rx_slave;
 		nb_pkts -= num_rx_slave;
-		if (++active_slave == slave_count)
+		if (++active_slave >= slave_count)
 			active_slave = 0;
 	}
 
-- 
2.27.0