From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from dpdk.org (dpdk.org [92.243.14.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 4DE7EA00C5;
	Thu, 30 Apr 2020 15:45:55 +0200 (CEST)
Received: from [92.243.14.124] (localhost [127.0.0.1])
	by dpdk.org (Postfix) with ESMTP id C739A1DBD9;
	Thu, 30 Apr 2020 15:45:54 +0200 (CEST)
Received: from mail-ot1-f68.google.com (mail-ot1-f68.google.com
 [209.85.210.68]) by dpdk.org (Postfix) with ESMTP id 1C0F31DBD8
 for <dev@dpdk.org>; Thu, 30 Apr 2020 15:45:53 +0200 (CEST)
Received: by mail-ot1-f68.google.com with SMTP id i27so4919040ota.7
 for <dev@dpdk.org>; Thu, 30 Apr 2020 06:45:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=pvssWmD6CaWd3Z2dXg/9I5EFWfxgy0LIGbLPqbW8eRQ=;
 b=QMrhrmIGR4qaFaMbnS3UpfmJ96Ve5Mqq3SPPTvCcsIvvKWFrFRtPWrmXqWXWDNM/sI
 sqXzJPLKZ/6LUjC4D9Fa8k6we4bqZoWDzzveuerQHcD8HWcWpZA2XpDue8zwF34xA04u
 jLdcLVh7SbRx0GdXk6sdax4QCmy5eGoVP1sbE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=pvssWmD6CaWd3Z2dXg/9I5EFWfxgy0LIGbLPqbW8eRQ=;
 b=sNG491ec9vlNZolUcRUEsKJrtDNBhl2vUtOmy2G7Ajt2p8tngjaX1laiZiB8ejkVa7
 hvDWOTGsRMd0QgVTp3YtIIox0VKyN1XY6lURgE/7xX7qrN8wURTVY4hbS47fU/OgYglk
 qtfvtFsmnw3ril5cP0qahq3yMBvROkBoCrH18BFOMpGYK7zyl4hf5JJbK6X9R9HDK2b1
 66ZbPUR8tkjc+n6DtaCc+FnhAp9LXTtUIpzoqgkOrQ1R0vqKHo2UJ5oGzVivDIhGkGtP
 PSlff0o2bwoS0LBCXg/NnakJjju5laepyCQ09XHvDWZ6LBVBcHiT+i08qtj/544oltLS
 E1gQ==
X-Gm-Message-State: AGi0PuacyQGzE8QvGP/nvubE5nEp4o/6MlRFfrontlvtKswM+e3OmHxv
 GQBFPnWfyt7155SDz3T5pZFa+NYw3fH6OdAMsXn4HA==
X-Google-Smtp-Source: APiQypJeIef9yFctefWDXWiGh3Be7aAofcNMnzAWPVghqHkwuOYebvHmJ+0uocvQZZCLBWe/WEcGHLRHvDN20b45kN8=
X-Received: by 2002:a9d:470b:: with SMTP id a11mr2557083otf.44.1588254352321; 
 Thu, 30 Apr 2020 06:45:52 -0700 (PDT)
MIME-Version: 1.0
References: <1588253872-19024-1-git-send-email-yuanlinsi01@baidu.com>
In-Reply-To: <1588253872-19024-1-git-send-email-yuanlinsi01@baidu.com>
From: Lance Richardson <lance.richardson@broadcom.com>
Date: Thu, 30 Apr 2020 09:45:41 -0400
Message-ID: <CADyeNEBsh0Vd15CgdZrW6ORkfYfoNobbiU2iRKiEC6bcAUwAcA@mail.gmail.com>
To: Yuan Linsi <yuanlinsi01@baidu.com>
Cc: Ajit Kumar Khaparde <ajit.khaparde@broadcom.com>,
 Somnath Kotur <somnath.kotur@broadcom.com>, dev@dpdk.org
Content-Type: text/plain; charset="UTF-8"
Subject: Re: [dpdk-dev] [PATCH] net/bnxt: fix a possible stack smashing
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

On Thu, Apr 30, 2020 at 9:37 AM Yuan Linsi <yuanlinsi01@baidu.com> wrote:
>
> From: yuanlinsi01 <yuanlinsi01@baidu.com>
>
> We see a stack smashing as a result of defensive code missing. Once the
> nb_pkts is less than RTE_BNXT_DESCS_PER_LOOP, it will be modified to
> zero after doing a floor align, and we can not exit the following
> receiving packets loop. And the buffers will be overwrite, then the
> stack frame was ruined.
>
> Fix the problem by adding defensive code, once the nb_pkts is zero, just
> directly return with no packets.
>
> Fixes: bc4a000f2 ("net/bnxt: implement SSE vector mode")
> Cc: stable@dpdk.org
>
> Signed-off-by: yuanlinsi01 <yuanlinsi01@baidu.com>
> Signed-off-by: rongdongsheng <rongdongsheng@baidu.com>
> ---
>  drivers/net/bnxt/bnxt_rxtx_vec_sse.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/net/bnxt/bnxt_rxtx_vec_sse.c b/drivers/net/bnxt/bnxt_rxtx_vec_sse.c
> index d0e7910e7..8f73add9b 100644
> --- a/drivers/net/bnxt/bnxt_rxtx_vec_sse.c
> +++ b/drivers/net/bnxt/bnxt_rxtx_vec_sse.c
> @@ -233,8 +233,13 @@ bnxt_recv_pkts_vec(void *rx_queue, struct rte_mbuf **rx_pkts,
>         /* Return no more than RTE_BNXT_MAX_RX_BURST per call. */
>         nb_pkts = RTE_MIN(nb_pkts, RTE_BNXT_MAX_RX_BURST);
>
> -       /* Make nb_pkts an integer multiple of RTE_BNXT_DESCS_PER_LOOP */
> +       /*
> +        * Make nb_pkts an integer multiple of RTE_BNXT_DESCS_PER_LOOP.
> +        * nb_pkts < RTE_BNXT_DESCS_PER_LOOP, just return no packet
> +        */
>         nb_pkts = RTE_ALIGN_FLOOR(nb_pkts, RTE_BNXT_DESCS_PER_LOOP);
> +       if (!nb_pkts)
> +               return 0;
>
>         /* Handle RX burst request */
>         while (1) {
> --
> 2.11.0
>
Thanks for the fix!

Acked-by: Lance Richardson <lance.richardson@broadcom.com>