From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <liuwf@arraynetworks.com.cn>
Received: from mail01.arraynetworks.com.cn (mail.arraynetworks.com.cn
 [124.42.99.121]) by dpdk.org (Postfix) with ESMTP id 2DAB52C1A;
 Tue, 14 Mar 2017 11:11:09 +0100 (CET)
Received: from localhost.localdomain.localdomain (192.168.4.200) by
 mail01.arraynetworks.com.cn (10.3.0.251) with Microsoft SMTP Server id
 14.3.123.3; Tue, 14 Mar 2017 18:08:22 +0800
From: Wenfeng Liu <liuwf@arraynetworks.com.cn>
To: <yuanhan.liu@linux.intel.com>, <maxime.coquelin@redhat.com>
CC: <dev@dpdk.org>, <stable@dpdk.org>
Date: Tue, 14 Mar 2017 10:09:56 +0000
Message-ID: <1489486196-7456-1-git-send-email-liuwf@arraynetworks.com.cn>
X-Mailer: git-send-email 1.8.3.1
MIME-Version: 1.0
Content-Type: text/plain
X-Originating-IP: [192.168.4.200]
Subject: [dpdk-dev] [PATCH v2] net/virtio-user: fix overflow
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <http://dpdk.org/ml/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <http://dpdk.org/ml/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Mar 2017 10:11:11 -0000

virtio-user limits the qeueue number to 8 but provides no limit
check against the queue number input from user. If a bigger queue
number (> 8) is given, there is an overflow issue. Doing a sanity
check could avoid it.

Fixes: 37a7eb2ae816 ("net/virtio-user: add device emulation layer")
Cc: stable@dpdk.org

Signed-off-by: Wenfeng Liu <liuwf@arraynetworks.com.cn>
---
 drivers/net/virtio/virtio_pci.h                  | 3 ++-
 drivers/net/virtio/virtio_user/virtio_user_dev.c | 2 +-
 drivers/net/virtio/virtio_user/virtio_user_dev.h | 6 +++---
 drivers/net/virtio/virtio_user_ethdev.c          | 7 +++++++
 4 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/drivers/net/virtio/virtio_pci.h b/drivers/net/virtio/virtio_pci.h
index 59e45c4..1302556 100644
--- a/drivers/net/virtio/virtio_pci.h
+++ b/drivers/net/virtio/virtio_pci.h
@@ -160,7 +160,8 @@
 /*
  * Maximum number of virtqueues per device.
  */
-#define VIRTIO_MAX_VIRTQUEUES 8
+#define VIRTIO_MAX_VIRTQUEUE_PAIRS 8
+#define VIRTIO_MAX_VIRTQUEUES (VIRTIO_MAX_VIRTQUEUE_PAIRS * 2 + 1)
 
 /* Common configuration */
 #define VIRTIO_PCI_CAP_COMMON_CFG	1
diff --git a/drivers/net/virtio/virtio_user/virtio_user_dev.c b/drivers/net/virtio/virtio_user/virtio_user_dev.c
index e7fd65f..5b81676 100644
--- a/drivers/net/virtio/virtio_user/virtio_user_dev.c
+++ b/drivers/net/virtio/virtio_user/virtio_user_dev.c
@@ -234,7 +234,7 @@ int virtio_user_stop_device(struct virtio_user_dev *dev)
 	uint32_t i, q;
 
 	dev->vhostfd = -1;
-	for (i = 0; i < VIRTIO_MAX_VIRTQUEUES * 2 + 1; ++i) {
+	for (i = 0; i < VIRTIO_MAX_VIRTQUEUES; ++i) {
 		dev->kickfds[i] = -1;
 		dev->callfds[i] = -1;
 	}
diff --git a/drivers/net/virtio/virtio_user/virtio_user_dev.h b/drivers/net/virtio/virtio_user/virtio_user_dev.h
index 6ecb91e..ba80d05 100644
--- a/drivers/net/virtio/virtio_user/virtio_user_dev.h
+++ b/drivers/net/virtio/virtio_user/virtio_user_dev.h
@@ -49,8 +49,8 @@ struct virtio_user_dev {
 	int		*tapfds;
 
 	/* for both vhost_user and vhost_kernel */
-	int		callfds[VIRTIO_MAX_VIRTQUEUES * 2 + 1];
-	int		kickfds[VIRTIO_MAX_VIRTQUEUES * 2 + 1];
+	int		callfds[VIRTIO_MAX_VIRTQUEUES];
+	int		kickfds[VIRTIO_MAX_VIRTQUEUES];
 	int		mac_specified;
 	uint32_t	max_queue_pairs;
 	uint32_t	queue_pairs;
@@ -62,7 +62,7 @@ struct virtio_user_dev {
 	uint8_t		status;
 	uint8_t		mac_addr[ETHER_ADDR_LEN];
 	char		path[PATH_MAX];
-	struct vring	vrings[VIRTIO_MAX_VIRTQUEUES * 2 + 1];
+	struct vring	vrings[VIRTIO_MAX_VIRTQUEUES];
 	struct virtio_user_backend_ops *ops;
 };
 
diff --git a/drivers/net/virtio/virtio_user_ethdev.c b/drivers/net/virtio/virtio_user_ethdev.c
index 16d1526..d476a2d 100644
--- a/drivers/net/virtio/virtio_user_ethdev.c
+++ b/drivers/net/virtio/virtio_user_ethdev.c
@@ -433,6 +433,13 @@
 		goto end;
 	}
 
+	if (queues > VIRTIO_MAX_VIRTQUEUE_PAIRS) {
+		PMD_INIT_LOG(ERR, "arg %s %u exceeds the limit %u",
+			VIRTIO_USER_ARG_QUEUES_NUM, queues,
+			VIRTIO_MAX_VIRTQUEUE_PAIRS);
+		goto end;
+	}
+
 	eth_dev = virtio_user_eth_dev_alloc(name);
 	if (!eth_dev) {
 		PMD_INIT_LOG(ERR, "virtio_user fails to alloc device");
-- 
1.8.3.1