From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) by dpdk.org (Postfix) with ESMTP id EA3AD2BE6 for ; Mon, 11 Apr 2016 19:49:15 +0200 (CEST) Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by fmsmga104.fm.intel.com with ESMTP; 11 Apr 2016 10:49:14 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.24,462,1455004800"; d="scan'208";a="83164583" Received: from sie-lab-212-251.ir.intel.com (HELO silpixa00381635.ir.intel.com) ([10.237.212.251]) by fmsmga004.fm.intel.com with ESMTP; 11 Apr 2016 10:49:14 -0700 From: Jasvinder Singh To: dev@dpdk.org Cc: cristian.dumitrescu@intel.com Date: Mon, 11 Apr 2016 18:55:37 +0100 Message-Id: <1460397337-237625-1-git-send-email-jasvinder.singh@intel.com> X-Mailer: git-send-email 2.5.5 Subject: [dpdk-dev] [PATCH] librte_port: fix the buffer overflow for ring writer X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches and discussions about DPDK List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Apr 2016 17:49:16 -0000 Fixes the buffer overflow that occurs due to following; 1. When the input packet burst does not meet the conditions: (a) being contiguous (first n bits set in pkts_mask, all the other bits cleared) and (b) containing a full burst, i.e. at least tx_burst_sz packets (n >= tx_burst_size). This is the slow(er) code path taken when local variable expr != 0. 2. There are some packets already in the buffer. 3. The number of packets in the incoming burst (i.e. popcount(pkts_mask)) plus the number of packets already in the buffer exceeds the buffer size (RTE_PORT_IN_BURST_SIZE_MAX, i.e. 64). Fixes: bf6931b242f7 ("port: ring") Fixes: 5f4cd47309d6 ("port: add ring writer nodrop") Signed-off-by: Jasvinder Singh Acked-by: Cristian Dumitrescu --- lib/librte_port/rte_port_ring.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/librte_port/rte_port_ring.c b/lib/librte_port/rte_port_ring.c index d36e12d..3b9d3d0 100644 --- a/lib/librte_port/rte_port_ring.c +++ b/lib/librte_port/rte_port_ring.c @@ -179,7 +179,7 @@ rte_port_ring_reader_stats_read(void *port, struct rte_port_ring_writer { struct rte_port_out_stats stats; - struct rte_mbuf *tx_buf[RTE_PORT_IN_BURST_SIZE_MAX]; + struct rte_mbuf *tx_buf[2 * RTE_PORT_IN_BURST_SIZE_MAX]; struct rte_ring *ring; uint32_t tx_burst_sz; uint32_t tx_buf_count; @@ -447,7 +447,7 @@ rte_port_ring_writer_stats_read(void *port, struct rte_port_ring_writer_nodrop { struct rte_port_out_stats stats; - struct rte_mbuf *tx_buf[RTE_PORT_IN_BURST_SIZE_MAX]; + struct rte_mbuf *tx_buf[2 * RTE_PORT_IN_BURST_SIZE_MAX]; struct rte_ring *ring; uint32_t tx_burst_sz; uint32_t tx_buf_count; -- 2.5.5