From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <i.maximets@samsung.com>
Received: from mailout2.w1.samsung.com (mailout2.w1.samsung.com
 [210.118.77.12]) by dpdk.org (Postfix) with ESMTP id 28C7B5320
 for <dev@dpdk.org>; Thu, 21 Jul 2016 13:03:48 +0200 (CEST)
Received: from eucpsbgm2.samsung.com (unknown [203.254.199.245])
 by mailout2.w1.samsung.com
 (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built May 5 2014))
 with ESMTP id <0OAN00GXXW2AMH70@mailout2.w1.samsung.com> for dev@dpdk.org;
 Thu, 21 Jul 2016 12:03:46 +0100 (BST)
X-AuditID: cbfec7f5-f792a6d000001302-77-5790ac110a20
Received: from eusync4.samsung.com ( [203.254.199.214])
 by eucpsbgm2.samsung.com (EUCPMTA) with SMTP id F1.8D.04866.11CA0975; Thu,
 21 Jul 2016 12:03:45 +0100 (BST)
Received: from imaximets.rnd.samsung.ru ([106.109.129.180])
 by eusync4.samsung.com
 (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built May 5 2014))
 with ESMTPA id <0OAN00DEKW24UXB0@eusync4.samsung.com>; Thu,
 21 Jul 2016 12:03:45 +0100 (BST)
From: Ilya Maximets <i.maximets@samsung.com>
To: dev@dpdk.org, Helin Zhang <helin.zhang@intel.com>,
 Jingjing Wu <jingjing.wu@intel.com>
Cc: Zhe Tao <zhe.tao@intel.com>, Heetae Ahn <heetae82.ahn@samsung.com>,
 Thomas Monjalon <thomas.monjalon@6wind.com>,
 Ilya Maximets <i.maximets@samsung.com>, Sergey Dyasly <s.dyasly@samsung.com>
Date: Thu, 21 Jul 2016 14:03:38 +0300
Message-id: <1469099018-31402-1-git-send-email-i.maximets@samsung.com>
X-Mailer: git-send-email 2.7.4
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrNJMWRmVeSWpSXmKPExsVy+t/xa7qCayaEG7y+q2nx7tN2Jotpn2+z
 W0y5tp3R4kr7T3aLmQs+M1pMni1l8WXTdDaLDV9+MTlweFzsv8Po8WvBUlaPxXteMnn0bVnF
 GMASxWWTkpqTWZZapG+XwJXxaL9EwUnOij+bZzI2MP5j72Lk5JAQMJHY++kxG4QtJnHh3nog
 m4tDSGApo8SvpzfBEkICrUwSN4/rg9hsAjoSp1YfYQSxRQRiJH4dW8sE0sAscJRR4vbvv2AJ
 YQEXicsv/zOB2CwCqhKtbY9YQGxeATeJ/xt3MEFsk5O4ea6TeQIj9wJGhlWMoqmlyQXFSem5
 RnrFibnFpXnpesn5uZsYIUHydQfj0mNWhxgFOBiVeHh3rO4PF2JNLCuuzD3EKMHBrCTCO3/V
 hHAh3pTEyqrUovz4otKc1OJDjNIcLErivDN3vQ8REkhPLEnNTk0tSC2CyTJxcEo1MF7O3pXc
 JXu4vGv7vc/l7w1Lr2juTVvU89jqsef7VYpOm7LkDAIdJwm4mG3xiZv+xer1a40DfjNVjl4X
 ejC/65NdX8zBxXXhkRunrC9afWejhe+XXa+/H5eQ+DxPd3XlU+GKYDt+I2/fjOcCnjt3Cu+Q
 bPfzY49vvfHrXX5Yn+fhTzduqGp4ayqxFGckGmoxFxUnAgCLjvonDgIAAA==
Subject: [dpdk-dev] [PATCH] net/i40e: fix out-of-bounds writes during vector
	Rx
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: patches and discussions about DPDK <dev.dpdk.org>
List-Unsubscribe: <http://dpdk.org/ml/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <http://dpdk.org/ml/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jul 2016 11:03:48 -0000

From: Sergey Dyasly <s.dyasly@samsung.com>

Rx loop inside _recv_raw_pkts_vec() ignores nb_pkts argument and always
tries to receive RTE_I40E_VPMD_RX_BURST (32) packets. This is a violation
of rte_eth_rx_burst() API and can lead to memory corruption (out-of-bounds
writes to struct rte_mbuf **rx_pkts) if nb_pkts is less than 32.

Fix this by actually using nb_pkts inside the loop.

Fixes: 9ed94e5bb04e ("i40e: add vector Rx")

Signed-off-by: Sergey Dyasly <s.dyasly@samsung.com>
Acked-by: Ilya Maximets <i.maximets@samsung.com>
---
 drivers/net/i40e/i40e_rxtx_vec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/i40e/i40e_rxtx_vec.c b/drivers/net/i40e/i40e_rxtx_vec.c
index 05cb415..51fb282 100644
--- a/drivers/net/i40e/i40e_rxtx_vec.c
+++ b/drivers/net/i40e/i40e_rxtx_vec.c
@@ -269,7 +269,7 @@ _recv_raw_pkts_vec(struct i40e_rx_queue *rxq, struct rte_mbuf **rx_pkts,
 	 * D. fill info. from desc to mbuf
 	 */
 
-	for (pos = 0, nb_pkts_recd = 0; pos < RTE_I40E_VPMD_RX_BURST;
+	for (pos = 0, nb_pkts_recd = 0; pos < nb_pkts;
 			pos += RTE_I40E_DESCS_PER_LOOP,
 			rxdp += RTE_I40E_DESCS_PER_LOOP) {
 		__m128i descs[RTE_I40E_DESCS_PER_LOOP];
-- 
2.7.4