From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from dpdk.org (dpdk.org [92.243.14.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 86090A0352;
	Wed,  6 May 2020 07:26:44 +0200 (CEST)
Received: from [92.243.14.124] (localhost [127.0.0.1])
	by dpdk.org (Postfix) with ESMTP id 5FA111D668;
	Wed,  6 May 2020 07:26:44 +0200 (CEST)
Received: from mail-oo1-f65.google.com (mail-oo1-f65.google.com
 [209.85.161.65]) by dpdk.org (Postfix) with ESMTP id 4DBD01D665
 for <dev@dpdk.org>; Wed,  6 May 2020 07:26:42 +0200 (CEST)
Received: by mail-oo1-f65.google.com with SMTP id b17so241463ooa.0
 for <dev@dpdk.org>; Tue, 05 May 2020 22:26:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=zVVkkzkfVn9vj5q5LuZdrgXHgjcevx1gWQBsFB2QFRY=;
 b=Nh+JZ4CsHarEtmoHiA7xPcZQdlwzcoqq4OBCZesKNDpJyQ+8jORqs5EodNbE0T3imB
 4sajXc5yZzP1wBkWg2WpzUregPQYQxRn5Ja/dreylXL/lAdNCTeyFBKo/lQgcvvCx1CS
 Gf14+Rlpvipe4CV7V+t9LyjV7IxmJKXNegdmU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=zVVkkzkfVn9vj5q5LuZdrgXHgjcevx1gWQBsFB2QFRY=;
 b=qCk7sJTqDXkEurmSOpyjLH89Q+b6kk1i9dDAN60qxs8Tg3koL14x2KG9bn4Gks3UrL
 PAddcO9QtWobf+DW//3Xik1vxichdtKTvMMZbe3YW+HnTIQf81AVu+lnZNYB1MQdiPqm
 PJnK4Al3DjRA9Bs1+8I+mccEB2TR7C7bPa3QFcrg1feHo18kxpRMKqbZdG3KhjSuf7oR
 j2hNlvyKlUjoVXomtlYET6FvwyLmH/OhLn2+rAihSyZoQykWgu++lt44LkZRdeQ48C9x
 E7jenVfhIDposCy02rGEZlArXEjpeeT/ffcI9o4HRwOhjbCID/bshiyFaMk/R3+Cp8e0
 Gmlg==
X-Gm-Message-State: AGi0PuYp5R8gC8ZLs4ahPGsP76ldbOw9KYd/QI/fNuGUtwoFccQItXGm
 Oek1H46lHsCDv76ZZAbK+5ovi4fPwmbDuSapTS2ulQ==
X-Google-Smtp-Source: APiQypIG25J8wky/j9b0Xy5ErG4O7T40lNBtQZ3FPNuKcnwRI79uFMGQAEePGREJkr0T0pmqbwQdddKvflOIYGCtJbg=
X-Received: by 2002:a4a:e917:: with SMTP id z23mr5897944ood.23.1588742801168; 
 Tue, 05 May 2020 22:26:41 -0700 (PDT)
MIME-Version: 1.0
References: <1588735732-31676-1-git-send-email-yuanlinsi01@baidu.com>
In-Reply-To: <1588735732-31676-1-git-send-email-yuanlinsi01@baidu.com>
From: Ajit Khaparde <ajit.khaparde@broadcom.com>
Date: Tue, 5 May 2020 22:26:24 -0700
Message-ID: <CACZ4nhuhXne5iMtS99gS+p+O=K9=JdwHaMBx_7s7M3-7-W3VUw@mail.gmail.com>
To: Yuan Linsi <yuanlinsi01@baidu.com>
Cc: Somnath Kotur <somnath.kotur@broadcom.com>, 
 Lance Richardson <lance.richardson@broadcom.com>, dpdk-dev <dev@dpdk.org>
Content-Type: text/plain; charset="UTF-8"
X-Content-Filtered-By: Mailman/MimeDel 2.1.15
Subject: Re: [dpdk-dev] [PATCH] net/bnxt: fix a possible stack smashing
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

On Tue, May 5, 2020 at 8:29 PM Yuan Linsi <yuanlinsi01@baidu.com> wrote:

> From: Linsi Yuan <yuanlinsi01@baidu.com>
>
> We see a stack smashing as a result of defensive code missing. Once the
> nb_pkts is less than RTE_BNXT_DESCS_PER_LOOP, it will be modified to
> zero after doing a floor align, and we can not exit the following
> receiving packets loop. And the buffers will be overwrite, then the
> stack frame was ruined.
>
> Fix the problem by adding defensive code, once the nb_pkts is zero, just
> directly return with no packets.
>
> Fixes: bc4a000f2 ("net/bnxt: implement SSE vector mode")
> Cc: stable@dpdk.org
>
> Signed-off-by: Linsi Yuan <yuanlinsi01@baidu.com>
> Signed-off-by: Dongsheng Rong <rongdongsheng@baidu.com>
>
Thanks. I updated the earlier version [1] with this Signed-off.

[1] https://patchwork.dpdk.org/patch/69604/


> ---
>  drivers/net/bnxt/bnxt_rxtx_vec_sse.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/net/bnxt/bnxt_rxtx_vec_sse.c
> b/drivers/net/bnxt/bnxt_rxtx_vec_sse.c
> index d0e7910e7..8f73add9b 100644
> --- a/drivers/net/bnxt/bnxt_rxtx_vec_sse.c
> +++ b/drivers/net/bnxt/bnxt_rxtx_vec_sse.c
> @@ -233,8 +233,13 @@ bnxt_recv_pkts_vec(void *rx_queue, struct rte_mbuf
> **rx_pkts,
>         /* Return no more than RTE_BNXT_MAX_RX_BURST per call. */
>         nb_pkts = RTE_MIN(nb_pkts, RTE_BNXT_MAX_RX_BURST);
>
> -       /* Make nb_pkts an integer multiple of RTE_BNXT_DESCS_PER_LOOP */
> +       /*
> +        * Make nb_pkts an integer multiple of RTE_BNXT_DESCS_PER_LOOP.
> +        * nb_pkts < RTE_BNXT_DESCS_PER_LOOP, just return no packet
> +        */
>         nb_pkts = RTE_ALIGN_FLOOR(nb_pkts, RTE_BNXT_DESCS_PER_LOOP);
> +       if (!nb_pkts)
> +               return 0;
>
>         /* Handle RX burst request */
>         while (1) {
> --
> 2.11.0
>
>