* [dpdk-dev] [PATCH] net/virtio: do not gso when no header is present
@ 2017-01-24 20:36 Emmanuel Roullit
2017-01-30 12:42 ` Yuanhan Liu
0 siblings, 1 reply; 2+ messages in thread
From: Emmanuel Roullit @ 2017-01-24 20:36 UTC (permalink / raw)
To: huawei.xie, yuanhan.liu; +Cc: dev
Found with clang static analysis:
lib/librte_vhost/virtio_net.c:723:17: warning:
Access to field 'data_off' results in a dereference of a null pointer
(loaded from variable 'tcp_hdr')
m->l4_len = (tcp_hdr->data_off & 0xf0) >> 2;
^~~~~~~~~~~~~~~~~
Fixes: 2a51b1091cb5 ("vhost: support indirect descriptor in non-mergeable Rx")
Signed-off-by: Emmanuel Roullit <emmanuel.roullit@gmail.com>
---
lib/librte_vhost/virtio_net.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c
index 595f67c4d..82444b7b9 100644
--- a/lib/librte_vhost/virtio_net.c
+++ b/lib/librte_vhost/virtio_net.c
@@ -677,6 +677,7 @@ parse_ethernet(struct rte_mbuf *m, uint16_t *l4_proto, void **l4_hdr)
default:
m->l3_len = 0;
*l4_proto = 0;
+ *l4_hdr = NULL;
break;
}
}
@@ -713,7 +714,7 @@ vhost_dequeue_offload(struct virtio_net_hdr *hdr, struct rte_mbuf *m)
}
}
- if (hdr->gso_type != VIRTIO_NET_HDR_GSO_NONE) {
+ if (l4_hdr && hdr->gso_type != VIRTIO_NET_HDR_GSO_NONE) {
switch (hdr->gso_type & ~VIRTIO_NET_HDR_GSO_ECN) {
case VIRTIO_NET_HDR_GSO_TCPV4:
case VIRTIO_NET_HDR_GSO_TCPV6:
--
2.11.0
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [dpdk-dev] [PATCH] net/virtio: do not gso when no header is present
2017-01-24 20:36 [dpdk-dev] [PATCH] net/virtio: do not gso when no header is present Emmanuel Roullit
@ 2017-01-30 12:42 ` Yuanhan Liu
0 siblings, 0 replies; 2+ messages in thread
From: Yuanhan Liu @ 2017-01-30 12:42 UTC (permalink / raw)
To: Emmanuel Roullit; +Cc: huawei.xie, dev, Thomas Monjalon, stable
On Tue, Jan 24, 2017 at 09:36:03PM +0100, Emmanuel Roullit wrote:
> Found with clang static analysis:
> lib/librte_vhost/virtio_net.c:723:17: warning:
> Access to field 'data_off' results in a dereference of a null pointer
> (loaded from variable 'tcp_hdr')
> m->l4_len = (tcp_hdr->data_off & 0xf0) >> 2;
> ^~~~~~~~~~~~~~~~~
This is a good fix, thanks. But there are few minor nits. Firstly,
prefix is wrong: it should be "vhost" but not "net/virtio".
> Fixes: 2a51b1091cb5 ("vhost: support indirect descriptor in non-mergeable Rx")
That's not the original commit introduced such issue, d0cf91303d73
("vhost: add Tx offload capabilities") is.
I actually saw you have made this kind of mistakes (referencing the
wrong culprit commit) few times. I'm wondering how did you get that.
Besides those, I think it's a good candidate for a stable release:
thinking that a malicious guest might forge some invalid virtio net
headers, which would make this potential NULL dereference become real.
So, Cc: stable@dpdk.org,
And Applied to dpdk-next-virtio.
--yliu
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-01-30 12:40 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-01-24 20:36 [dpdk-dev] [PATCH] net/virtio: do not gso when no header is present Emmanuel Roullit
2017-01-30 12:42 ` Yuanhan Liu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).