From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id C3C6CA00C5; Thu, 30 Apr 2020 12:07:10 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 24CCA1DB06; Thu, 30 Apr 2020 12:07:10 +0200 (CEST) Received: from tc-sys-mailedm04.tc.baidu.com (mx59.baidu.com [61.135.168.59]) by dpdk.org (Postfix) with ESMTP id 2AA1D1DAED for ; Thu, 30 Apr 2020 12:07:08 +0200 (CEST) Received: from localhost (cp01-cos-dev01.cp01.baidu.com [10.92.119.46]) by tc-sys-mailedm04.tc.baidu.com (Postfix) with ESMTP id 46F7A236C00D; Thu, 30 Apr 2020 18:07:03 +0800 (CST) From: yuanlinsi01 To: ajit.khaparde@broadcom.com, somnath.kotur@broadcom.com Cc: dev@dpdk.org Date: Thu, 30 Apr 2020 18:07:04 +0800 Message-Id: <1588241224-9717-1-git-send-email-yuanlinsi01@baidu.com> X-Mailer: git-send-email 1.7.1 Subject: [dpdk-dev] [PATCH] net/bnxt: fix a possible stack smashing X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" We see a stack smashing as a result of defensive code missing. Once the nb_pkts is less than RTE_BNXT_DESCS_PER_LOOP, it will be modified to zero after doing a floor align, and we can not exit the following receiving packets loop. And the buffers will be overwrite, then the stack frame was ruined. Fix the problem by adding defensive code, once the nb_pkts is zero, just directly return with no packets. __GI___backtrace (array=0x7fcec7ac3f00, size=256) at ../sysdeps/x86_64/backtrace.c:103 catch_segfault () from /lib64/libSegFault.so __GI___backtrace (array=array@entry=0x7fcec7ac62e0, size=size@entry=64) at ../sysdeps/x86_64/backtrace.c:103 backtrace_and_maps (do_abort=do_abort@entry=2, written=, fd=fd@entry=2) at ../sysdeps/unix/sysv/linux/libc_fatal.c:47 __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7fced6091c60 "*** %s ***: %s terminated\n") at ../sysdeps/posix/libc_fatal.c:172 __GI___fortify_fail (msg=msg@entry=0x7fced6091c48 "stack smashing detected") at fortify_fail.c:31 __stack_chk_fail () at stack_chk_fail.c:28 bnxt_recv_pkts_vec (rx_queue=0x14c571f00, rx_pkts=0x7fcec7ac6f28, nb_pkts=0) rte_eth_rx_burst (port_id=1, queue_id=3, rx_pkts=0x7fcec7ac6f28, nb_pkts=1) Signed-off-by: yuanlinsi01 Signed-off-by: rongdongsheng --- drivers/net/bnxt/bnxt_rxtx_vec_sse.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/net/bnxt/bnxt_rxtx_vec_sse.c b/drivers/net/bnxt/bnxt_rxtx_vec_sse.c index d0e7910e7..c4adccdbc 100644 --- a/drivers/net/bnxt/bnxt_rxtx_vec_sse.c +++ b/drivers/net/bnxt/bnxt_rxtx_vec_sse.c @@ -233,8 +233,13 @@ bnxt_recv_pkts_vec(void *rx_queue, struct rte_mbuf **rx_pkts, /* Return no more than RTE_BNXT_MAX_RX_BURST per call. */ nb_pkts = RTE_MIN(nb_pkts, RTE_BNXT_MAX_RX_BURST); - /* Make nb_pkts an integer multiple of RTE_BNXT_DESCS_PER_LOOP */ + /* + * Make nb_pkts an integer multiple of RTE_BNXT_DESCS_PER_LOOP + * nb_pkts < RTE_BNXT_DESCS_PER_LOOP, just return no packet + */ nb_pkts = RTE_ALIGN_FLOOR(nb_pkts, RTE_BNXT_DESCS_PER_LOOP); + if (!nb_pkts) + return 0; /* Handle RX burst request */ while (1) { -- 2.11.0