From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by dpdk.org (Postfix) with ESMTP id 177265A35 for ; Wed, 18 Nov 2015 06:31:55 +0100 (CET) Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by fmsmga103.fm.intel.com with ESMTP; 17 Nov 2015 21:31:55 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.20,311,1444719600"; d="scan'208";a="853551063" Received: from yliu-dev.sh.intel.com (HELO yliu-dev) ([10.239.66.49]) by fmsmga002.fm.intel.com with ESMTP; 17 Nov 2015 21:31:54 -0800 Date: Wed, 18 Nov 2015 13:32:51 +0800 From: Yuanhan Liu To: Rich Lane Message-ID: <20151118053251.GY2326@yliu-dev.sh.intel.com> References: <1447315353-42152-1-git-send-email-rlane@bigswitch.com> <20151112092305.GI2326@yliu-dev.sh.intel.com> <20151117132349.GT2326@yliu-dev.sh.intel.com> <20151118025655.GW2326@yliu-dev.sh.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Cc: dev@dpdk.org Subject: Re: [dpdk-dev] [PATCH] vhost: avoid buffer overflow in update_secure_len X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches and discussions about DPDK List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Nov 2015 05:31:56 -0000 On Tue, Nov 17, 2015 at 09:26:57PM -0800, Rich Lane wrote: > On Tue, Nov 17, 2015 at 6:56 PM, Yuanhan Liu > wrote: > > @@ -519,6 +526,8 @@ virtio_dev_merge_rx(struct virtio_net *dev, uint16_t > queue_id, >                                         goto merge_rx_exit; >                                 } else { >                                         update_secure_len(vq, res_cur_idx, > &secure_len, &vec_idx); > +                                       if (secure_len == 0) > +                                               goto merge_rx_exit; >                                         res_cur_idx++; >                                 } >                         } while (pkt_len > secure_len); > > > I think this needs to check whether secure_len was modified. secure_len is > read-write and could have a nonzero value going into the call. It could be > cleaner to give update_secure_len a return value saying whether it was able to > reserve any buffers. Good suggestion. --yliu > > Otherwise looks good, thanks!