DPDK patches and discussions
 help / color / mirror / Atom feed
From: Yuan Linsi <yuanlinsi01@baidu.com>
To: ajit.khaparde@broadcom.com, somnath.kotur@broadcom.com,
	lance.richardson@broadcom.com
Cc: dev@dpdk.org
Subject: [dpdk-dev] [PATCH] net/bnxt: fix a possible stack smashing
Date: Wed,  6 May 2020 11:18:56 +0800
Message-ID: <1588735136-16044-1-git-send-email-yuanlinsi01@baidu.com> (raw)

From: yuanlinsi01 <yuanlinsi01@baidu.com>

We see a stack smashing as a result of defensive code missing. Once the
nb_pkts is less than RTE_BNXT_DESCS_PER_LOOP, it will be modified to
zero after doing a floor align, and we can not exit the following
receiving packets loop. And the buffers will be overwrite, then the
stack frame was ruined.

Fix the problem by adding defensive code, once the nb_pkts is zero, just
directly return with no packets.

Fixes: bc4a000f2 ("net/bnxt: implement SSE vector mode")
Cc: stable@dpdk.org

Signed-off-by: Linsi Yuan <yuanlinsi01@baidu.com>
Signed-off-by: Dongsheng Rong <rongdongsheng@baidu.com>
---
 drivers/net/bnxt/bnxt_rxtx_vec_sse.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/net/bnxt/bnxt_rxtx_vec_sse.c b/drivers/net/bnxt/bnxt_rxtx_vec_sse.c
index d0e7910e7..8f73add9b 100644
--- a/drivers/net/bnxt/bnxt_rxtx_vec_sse.c
+++ b/drivers/net/bnxt/bnxt_rxtx_vec_sse.c
@@ -233,8 +233,13 @@ bnxt_recv_pkts_vec(void *rx_queue, struct rte_mbuf **rx_pkts,
 	/* Return no more than RTE_BNXT_MAX_RX_BURST per call. */
 	nb_pkts = RTE_MIN(nb_pkts, RTE_BNXT_MAX_RX_BURST);
 
-	/* Make nb_pkts an integer multiple of RTE_BNXT_DESCS_PER_LOOP */
+	/*
+	 * Make nb_pkts an integer multiple of RTE_BNXT_DESCS_PER_LOOP.
+	 * nb_pkts < RTE_BNXT_DESCS_PER_LOOP, just return no packet
+	 */
 	nb_pkts = RTE_ALIGN_FLOOR(nb_pkts, RTE_BNXT_DESCS_PER_LOOP);
+	if (!nb_pkts)
+		return 0;
 
 	/* Handle RX burst request */
 	while (1) {
-- 
2.11.0


             reply	other threads:[~2020-05-06  3:19 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-05-06  3:18 Yuan Linsi [this message]
  -- strict thread matches above, loose matches on Subject: below --
2020-05-06  3:28 Yuan Linsi
2020-05-06  5:26 ` Ajit Khaparde
2020-04-30 13:37 Yuan Linsi
2020-04-30 13:45 ` Lance Richardson
2020-04-30 18:29   ` Ajit Khaparde
2020-04-30 23:55 ` Ferruh Yigit
2020-05-05  3:42   ` Ajit Khaparde
2020-05-06  3:18     ` [dpdk-dev] 答复: " Yuan,Linsi
2020-04-30 12:05 [dpdk-dev] " yuanlinsi01
2020-04-30 12:55 ` Somnath Kotur
2020-04-30 13:33   ` [dpdk-dev] 答复: " Yuan,Linsi
2020-04-30 10:08 [dpdk-dev] " yuanlinsi01
2020-04-30 10:07 yuanlinsi01

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1588735136-16044-1-git-send-email-yuanlinsi01@baidu.com \
    --to=yuanlinsi01@baidu.com \
    --cc=ajit.khaparde@broadcom.com \
    --cc=dev@dpdk.org \
    --cc=lance.richardson@broadcom.com \
    --cc=somnath.kotur@broadcom.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

DPDK patches and discussions

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://inbox.dpdk.org/dev/0 dev/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 dev dev/ https://inbox.dpdk.org/dev \
		dev@dpdk.org
	public-inbox-index dev

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://inbox.dpdk.org/inbox.dpdk.dev


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git