From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dggrg02-dlp.huawei.com (unknown [45.249.212.188]) by dpdk.org (Postfix) with ESMTP id 5BB382BF3 for ; Fri, 13 Jan 2017 11:21:21 +0100 (CET) Received: from 172.30.72.54 (EHLO DGGEMA404-HUB.china.huawei.com) ([172.30.72.54]) by dggrg02-dlp.huawei.com (MOS 4.4.6-GA FastPath queued) with ESMTP id AGW72390; Fri, 13 Jan 2017 18:21:14 +0800 (CST) Received: from DGGEMA505-MBX.china.huawei.com ([169.254.1.109]) by DGGEMA404-HUB.china.huawei.com ([10.3.20.45]) with mapi id 14.03.0301.000; Fri, 13 Jan 2017 18:21:03 +0800 From: wangyunjian To: "huawei.xie@intel.com" , "yuanhan.liu@linux.intel.com" CC: "dev@dpdk.org" Thread-Topic: [dpdk-dev] A question about the function fill_vec_buf Thread-Index: AdJs0HAqisBQR1VFQVSkRzZ2rNv74g== Date: Fri, 13 Jan 2017 10:20:55 +0000 Message-ID: <34EFBCA9F01B0748BEB6B629CE643AE60BA9405D@DGGEMA505-MBX.china.huawei.com> Accept-Language: en-US Content-Language: zh-CN X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.177.24.66] MIME-Version: 1.0 X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020203.5878AA1A.0422, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.1.109, so=2014-11-16 11:51:01, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: 901a773b2b7327ed0cc0128c65179b71 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.15 Subject: [dpdk-dev] A question about the function fill_vec_buf X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jan 2017 10:21:24 -0000 In function fill_vec_buf, it will happen uint32_t cast to uint16_t, when th= e *desc_chain_len is assigned by the len. This maybe result in data truncation. static inline int __attribute__((always_inline)) fill_vec_buf(struct virtio_net *dev, struct vhost_virtqueue *vq, uint32_t avail_idx, uint32_= t *vec_idx, struct buf_vector *buf_vec,= uint16_t *desc_chain_head, uint16_t *desc_chain_len) = --The= desc_chain_len is defined uint16_t. { uint16_t idx =3D vq->avail->ring[avail_idx & (vq->size - 1)= ]; uint32_t vec_id =3D *vec_idx; uint32_t len =3D 0; = = --The len is defined uint32_t. struct vring_desc *descs =3D vq->desc; *desc_chain_head =3D idx; ... while (1) { if (unlikely(vec_id >=3D BUF_VECTOR_MAX || = idx >=3D vq->size)) return -1; len +=3D descs[idx].len; buf_vec[vec_id].buf_addr =3D descs[idx].add= r; buf_vec[vec_id].buf_len =3D descs[idx].len= ; buf_vec[vec_id].desc_idx =3D idx; vec_id++; if ((descs[idx].flags & VRING_DESC_F_NEXT) = =3D=3D 0) break; idx =3D descs[idx].next; } *desc_chain_len =3D len; = -= -Here, uint32_t cast to uint16_t. *vec_idx =3D vec_id; return 0; }