DPDK patches and discussions
 help / color / mirror / Atom feed
* [dpdk-dev] [PATCH] net/ice: fix integer overflow when computing max_pkt_len
@ 2021-06-15  9:58 Tudor Cornea
  0 siblings, 0 replies; 3+ messages in thread
From: Tudor Cornea @ 2021-06-15  9:58 UTC (permalink / raw)
  To: dev, qiming.yang, qi.z.zhang

Greetings,

Please review the following patch for the dpdk-next-net-intel branch.

The len variable, used in the computation of max_pkt_len could overflow,
if used to store the result of the following computation:

ICE_SUPPORT_CHAIN_NUM * rxq->rx_buf_len

Since, we could define the mbuf size to have a large value (i.e 13312),
and ICE_SUPPORT_CHAIN_NUM is defined as 5, the computation mentioned
above could potentially result in a value which might be bigger than
MAX_USHORT.

The result will be that Jumbo Frames will not work properly

Signed-off-by: Tudor Cornea <tudor.cornea@keysight.com>
---
 drivers/net/ice/ice_dcf_ethdev.c | 7 ++++---
 drivers/net/ice/ice_rxtx.c       | 6 +++---
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/drivers/net/ice/ice_dcf_ethdev.c
b/drivers/net/ice/ice_dcf_ethdev.c
index b937cbb..f73dc80 100644
--- a/drivers/net/ice/ice_dcf_ethdev.c
+++ b/drivers/net/ice/ice_dcf_ethdev.c
@@ -54,13 +54,14 @@ ice_dcf_init_rxq(struct rte_eth_dev *dev, struct
ice_rx_queue *rxq)
        struct ice_dcf_adapter *dcf_ad = dev->data->dev_private;
        struct rte_eth_dev_data *dev_data = dev->data;
        struct iavf_hw *hw = &dcf_ad->real_hw.avf;
-       uint16_t buf_size, max_pkt_len, len;
+       uint16_t buf_size, max_pkt_len;

        buf_size = rte_pktmbuf_data_room_size(rxq->mp) -
RTE_PKTMBUF_HEADROOM;
        rxq->rx_hdr_len = 0;
        rxq->rx_buf_len = RTE_ALIGN(buf_size, (1 << ICE_RLAN_CTX_DBUF_S));
-       len = ICE_SUPPORT_CHAIN_NUM * rxq->rx_buf_len;
-       max_pkt_len = RTE_MIN(len,
dev->data->dev_conf.rxmode.max_rx_pkt_len);
+       max_pkt_len = RTE_MIN((uint32_t)
+                             ICE_SUPPORT_CHAIN_NUM * rxq->rx_buf_len,
+                             dev->data->dev_conf.rxmode.max_rx_pkt_len);

        /* Check if the jumbo frame and maximum packet length are set
         * correctly.
diff --git a/drivers/net/ice/ice_rxtx.c b/drivers/net/ice/ice_rxtx.c
index fc9bb5a..20352b0 100644
--- a/drivers/net/ice/ice_rxtx.c
+++ b/drivers/net/ice/ice_rxtx.c
@@ -258,7 +258,7 @@ ice_program_hw_rx_queue(struct ice_rx_queue *rxq)
        struct rte_eth_dev_data *dev_data = rxq->vsi->adapter->pf.dev_data;
        struct ice_rlan_ctx rx_ctx;
        enum ice_status err;
-       uint16_t buf_size, len;
+       uint16_t buf_size;
        struct rte_eth_rxmode *rxmode = &dev_data->dev_conf.rxmode;
        uint32_t rxdid = ICE_RXDID_COMMS_OVS;
        uint32_t regval;
@@ -268,8 +268,8 @@ ice_program_hw_rx_queue(struct ice_rx_queue *rxq)
                              RTE_PKTMBUF_HEADROOM);
        rxq->rx_hdr_len = 0;
        rxq->rx_buf_len = RTE_ALIGN(buf_size, (1 << ICE_RLAN_CTX_DBUF_S));
-       len = ICE_SUPPORT_CHAIN_NUM * rxq->rx_buf_len;
-       rxq->max_pkt_len = RTE_MIN(len,
+       rxq->max_pkt_len = RTE_MIN((uint32_t)
+                                  ICE_SUPPORT_CHAIN_NUM * rxq->rx_buf_len,

 dev_data->dev_conf.rxmode.max_rx_pkt_len);

        if (rxmode->offloads & DEV_RX_OFFLOAD_JUMBO_FRAME) {
-- 
2.7.4

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [dpdk-dev] [PATCH] net/ice: fix integer overflow when computing max_pkt_len
  2021-06-15 10:38 Tudor Cornea
@ 2021-06-21  4:20 ` Zhang, Qi Z
  0 siblings, 0 replies; 3+ messages in thread
From: Zhang, Qi Z @ 2021-06-21  4:20 UTC (permalink / raw)
  To: Tudor Cornea, Yang, Qiming; +Cc: dev, Tudor Cornea



> -----Original Message-----
> From: Tudor Cornea <tudor.cornea.keysight@gmail.com>
> Sent: Tuesday, June 15, 2021 6:39 PM
> To: Yang, Qiming <qiming.yang@intel.com>; Zhang, Qi Z
> <qi.z.zhang@intel.com>
> Cc: dev@dpdk.org; Tudor Cornea <tudor.cornea@keysight.com>
> Subject: [PATCH] net/ice: fix integer overflow when computing max_pkt_len
> 
> The len variable, used in the computation of max_pkt_len could overflow, if
> used to store the result of the following computation:
> 
> ICE_SUPPORT_CHAIN_NUM * rxq->rx_buf_len
> 
> Since, we could define the mbuf size to have a large value (i.e 13312), and
> ICE_SUPPORT_CHAIN_NUM is defined as 5, the computation mentioned above
> could potentially result in a value which might be bigger than MAX_USHORT.
> 
> The result will be that Jumbo Frames will not work properly
> 
> Signed-off-by: Tudor Cornea <tudor.cornea@keysight.com>

Acked-by: Qi Zhang <qi.z.zhang@intel.com>

Applied to dpdk-next-net-intel after adding missing fixline and cc stable

Fixes: 1b009275e2c8 ("net/ice: add Rx queue init in DCF")
Cc: stable@dpdk.org

Thanks
Qi


^ permalink raw reply	[flat|nested] 3+ messages in thread

* [dpdk-dev] [PATCH] net/ice: fix integer overflow when computing max_pkt_len
@ 2021-06-15 10:38 Tudor Cornea
  2021-06-21  4:20 ` Zhang, Qi Z
  0 siblings, 1 reply; 3+ messages in thread
From: Tudor Cornea @ 2021-06-15 10:38 UTC (permalink / raw)
  To: qiming.yang, qi.z.zhang; +Cc: dev, Tudor Cornea

The len variable, used in the computation of max_pkt_len could overflow,
if used to store the result of the following computation:

ICE_SUPPORT_CHAIN_NUM * rxq->rx_buf_len

Since, we could define the mbuf size to have a large value (i.e 13312),
and ICE_SUPPORT_CHAIN_NUM is defined as 5, the computation mentioned
above could potentially result in a value which might be bigger than
MAX_USHORT.

The result will be that Jumbo Frames will not work properly

Signed-off-by: Tudor Cornea <tudor.cornea@keysight.com>
---
 drivers/net/ice/ice_dcf_ethdev.c | 7 ++++---
 drivers/net/ice/ice_rxtx.c       | 6 +++---
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/drivers/net/ice/ice_dcf_ethdev.c b/drivers/net/ice/ice_dcf_ethdev.c
index b937cbb..f73dc80 100644
--- a/drivers/net/ice/ice_dcf_ethdev.c
+++ b/drivers/net/ice/ice_dcf_ethdev.c
@@ -54,13 +54,14 @@ ice_dcf_init_rxq(struct rte_eth_dev *dev, struct ice_rx_queue *rxq)
 	struct ice_dcf_adapter *dcf_ad = dev->data->dev_private;
 	struct rte_eth_dev_data *dev_data = dev->data;
 	struct iavf_hw *hw = &dcf_ad->real_hw.avf;
-	uint16_t buf_size, max_pkt_len, len;
+	uint16_t buf_size, max_pkt_len;
 
 	buf_size = rte_pktmbuf_data_room_size(rxq->mp) - RTE_PKTMBUF_HEADROOM;
 	rxq->rx_hdr_len = 0;
 	rxq->rx_buf_len = RTE_ALIGN(buf_size, (1 << ICE_RLAN_CTX_DBUF_S));
-	len = ICE_SUPPORT_CHAIN_NUM * rxq->rx_buf_len;
-	max_pkt_len = RTE_MIN(len, dev->data->dev_conf.rxmode.max_rx_pkt_len);
+	max_pkt_len = RTE_MIN((uint32_t)
+			      ICE_SUPPORT_CHAIN_NUM * rxq->rx_buf_len,
+			      dev->data->dev_conf.rxmode.max_rx_pkt_len);
 
 	/* Check if the jumbo frame and maximum packet length are set
 	 * correctly.
diff --git a/drivers/net/ice/ice_rxtx.c b/drivers/net/ice/ice_rxtx.c
index fc9bb5a..20352b0 100644
--- a/drivers/net/ice/ice_rxtx.c
+++ b/drivers/net/ice/ice_rxtx.c
@@ -258,7 +258,7 @@ ice_program_hw_rx_queue(struct ice_rx_queue *rxq)
 	struct rte_eth_dev_data *dev_data = rxq->vsi->adapter->pf.dev_data;
 	struct ice_rlan_ctx rx_ctx;
 	enum ice_status err;
-	uint16_t buf_size, len;
+	uint16_t buf_size;
 	struct rte_eth_rxmode *rxmode = &dev_data->dev_conf.rxmode;
 	uint32_t rxdid = ICE_RXDID_COMMS_OVS;
 	uint32_t regval;
@@ -268,8 +268,8 @@ ice_program_hw_rx_queue(struct ice_rx_queue *rxq)
 			      RTE_PKTMBUF_HEADROOM);
 	rxq->rx_hdr_len = 0;
 	rxq->rx_buf_len = RTE_ALIGN(buf_size, (1 << ICE_RLAN_CTX_DBUF_S));
-	len = ICE_SUPPORT_CHAIN_NUM * rxq->rx_buf_len;
-	rxq->max_pkt_len = RTE_MIN(len,
+	rxq->max_pkt_len = RTE_MIN((uint32_t)
+				   ICE_SUPPORT_CHAIN_NUM * rxq->rx_buf_len,
 				   dev_data->dev_conf.rxmode.max_rx_pkt_len);
 
 	if (rxmode->offloads & DEV_RX_OFFLOAD_JUMBO_FRAME) {
-- 
2.7.4


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2021-06-21  4:20 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-15  9:58 [dpdk-dev] [PATCH] net/ice: fix integer overflow when computing max_pkt_len Tudor Cornea
2021-06-15 10:38 Tudor Cornea
2021-06-21  4:20 ` Zhang, Qi Z

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).