* Re: [dpdk-dev] [PATCH 2/4] port: fix ring writer buffer overflow
@ 2016-04-01 14:58 Sanford, Robert
0 siblings, 0 replies; 3+ messages in thread
From: Sanford, Robert @ 2016-04-01 14:58 UTC (permalink / raw)
To: Dumitrescu, Cristian, dev
>
>
>> -----Original Message-----
>> From: Robert Sanford [mailto:rsanford2@gmail.com]
>> Sent: Monday, March 28, 2016 9:52 PM
>> To: dev@dpdk.org; Dumitrescu, Cristian <cristian.dumitrescu@intel.com>
>> Subject: [PATCH 2/4] port: fix ring writer buffer overflow
>>
>> Ring writer tx_bulk functions may write past the end of tx_buf[].
>> Solution is to double the size of tx_buf[].
>>
>> Signed-off-by: Robert Sanford <rsanford@akamai.com>
>> ---
>> lib/librte_port/rte_port_ring.c | 4 ++--
>> 1 files changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/lib/librte_port/rte_port_ring.c
>>b/lib/librte_port/rte_port_ring.c
>> index b847fea..765ecc5 100644
>> --- a/lib/librte_port/rte_port_ring.c
>> +++ b/lib/librte_port/rte_port_ring.c
>> @@ -179,7 +179,7 @@ rte_port_ring_reader_stats_read(void *port,
>> struct rte_port_ring_writer {
>> struct rte_port_out_stats stats;
>>
>> - struct rte_mbuf *tx_buf[RTE_PORT_IN_BURST_SIZE_MAX];
>> + struct rte_mbuf *tx_buf[2 * RTE_PORT_IN_BURST_SIZE_MAX];
>> struct rte_ring *ring;
>> uint32_t tx_burst_sz;
>> uint32_t tx_buf_count;
>> @@ -447,7 +447,7 @@ rte_port_ring_writer_stats_read(void *port,
>> struct rte_port_ring_writer_nodrop {
>> struct rte_port_out_stats stats;
>>
>> - struct rte_mbuf *tx_buf[RTE_PORT_IN_BURST_SIZE_MAX];
>> + struct rte_mbuf *tx_buf[2 * RTE_PORT_IN_BURST_SIZE_MAX];
>> struct rte_ring *ring;
>> uint32_t tx_burst_sz;
>> uint32_t tx_buf_count;
>> --
>> 1.7.1
>
>Hi Robert,
>
>How is the buffer overflow taking place?
>
>After looking long and hard, I spotted that buffer overflow can
>potentially take place when the following conditions are met:
>1. The input packet burst does not meet the conditions of (a) being
>contiguous (first n bits set in pkts_mask, all the other bits cleared)
>and (b) containing a full burst, i.e. at least tx_burst_sz packets (n >=
>tx_burst_size). This is the slow(er) code path taken when local variable
>expr != 0.
>2. There are some packets already in the buffer.
>3. The number of packets in the incoming burst (i.e. popcount(pkts_mask))
>plus the number of packets already in the buffer exceeds the buffer size
>(RTE_PORT_IN_BURST_SIZE_MAX, i.e. 64).
>
>Is this the buffer overflow scenario that you detected?
>
>Thanks,
>Cristian
>
Hi Cristian,
Thanks for looking at the patches.
Yes, the buffer overflow occurs in the scenario you described. The
additional testing steps in patch 1/4 expose the overflow. The first time
that I run the table_autotest, it fails. The second time, the process
crashes.
--
Robert
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [dpdk-dev] [PATCH 2/4] port: fix ring writer buffer overflow
2016-03-28 20:51 ` [dpdk-dev] [PATCH 2/4] port: fix ring writer buffer overflow Robert Sanford
@ 2016-03-31 11:21 ` Dumitrescu, Cristian
0 siblings, 0 replies; 3+ messages in thread
From: Dumitrescu, Cristian @ 2016-03-31 11:21 UTC (permalink / raw)
To: Robert Sanford, dev
> -----Original Message-----
> From: Robert Sanford [mailto:rsanford2@gmail.com]
> Sent: Monday, March 28, 2016 9:52 PM
> To: dev@dpdk.org; Dumitrescu, Cristian <cristian.dumitrescu@intel.com>
> Subject: [PATCH 2/4] port: fix ring writer buffer overflow
>
> Ring writer tx_bulk functions may write past the end of tx_buf[].
> Solution is to double the size of tx_buf[].
>
> Signed-off-by: Robert Sanford <rsanford@akamai.com>
> ---
> lib/librte_port/rte_port_ring.c | 4 ++--
> 1 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/lib/librte_port/rte_port_ring.c b/lib/librte_port/rte_port_ring.c
> index b847fea..765ecc5 100644
> --- a/lib/librte_port/rte_port_ring.c
> +++ b/lib/librte_port/rte_port_ring.c
> @@ -179,7 +179,7 @@ rte_port_ring_reader_stats_read(void *port,
> struct rte_port_ring_writer {
> struct rte_port_out_stats stats;
>
> - struct rte_mbuf *tx_buf[RTE_PORT_IN_BURST_SIZE_MAX];
> + struct rte_mbuf *tx_buf[2 * RTE_PORT_IN_BURST_SIZE_MAX];
> struct rte_ring *ring;
> uint32_t tx_burst_sz;
> uint32_t tx_buf_count;
> @@ -447,7 +447,7 @@ rte_port_ring_writer_stats_read(void *port,
> struct rte_port_ring_writer_nodrop {
> struct rte_port_out_stats stats;
>
> - struct rte_mbuf *tx_buf[RTE_PORT_IN_BURST_SIZE_MAX];
> + struct rte_mbuf *tx_buf[2 * RTE_PORT_IN_BURST_SIZE_MAX];
> struct rte_ring *ring;
> uint32_t tx_burst_sz;
> uint32_t tx_buf_count;
> --
> 1.7.1
Hi Robert,
How is the buffer overflow taking place?
After looking long and hard, I spotted that buffer overflow can potentially take place when the following conditions are met:
1. The input packet burst does not meet the conditions of (a) being contiguous (first n bits set in pkts_mask, all the other bits cleared) and (b) containing a full burst, i.e. at least tx_burst_sz packets (n >= tx_burst_size). This is the slow(er) code path taken when local variable expr != 0.
2. There are some packets already in the buffer.
3. The number of packets in the incoming burst (i.e. popcount(pkts_mask)) plus the number of packets already in the buffer exceeds the buffer size (RTE_PORT_IN_BURST_SIZE_MAX, i.e. 64).
Is this the buffer overflow scenario that you detected?
Thanks,
Cristian
^ permalink raw reply [flat|nested] 3+ messages in thread
* [dpdk-dev] [PATCH 2/4] port: fix ring writer buffer overflow
2016-03-28 20:51 [dpdk-dev] [PATCH 0/4] port: fix and test bugs in tx_bulk ops Robert Sanford
@ 2016-03-28 20:51 ` Robert Sanford
2016-03-31 11:21 ` Dumitrescu, Cristian
0 siblings, 1 reply; 3+ messages in thread
From: Robert Sanford @ 2016-03-28 20:51 UTC (permalink / raw)
To: dev, cristian.dumitrescu
Ring writer tx_bulk functions may write past the end of tx_buf[].
Solution is to double the size of tx_buf[].
Signed-off-by: Robert Sanford <rsanford@akamai.com>
---
lib/librte_port/rte_port_ring.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/librte_port/rte_port_ring.c b/lib/librte_port/rte_port_ring.c
index b847fea..765ecc5 100644
--- a/lib/librte_port/rte_port_ring.c
+++ b/lib/librte_port/rte_port_ring.c
@@ -179,7 +179,7 @@ rte_port_ring_reader_stats_read(void *port,
struct rte_port_ring_writer {
struct rte_port_out_stats stats;
- struct rte_mbuf *tx_buf[RTE_PORT_IN_BURST_SIZE_MAX];
+ struct rte_mbuf *tx_buf[2 * RTE_PORT_IN_BURST_SIZE_MAX];
struct rte_ring *ring;
uint32_t tx_burst_sz;
uint32_t tx_buf_count;
@@ -447,7 +447,7 @@ rte_port_ring_writer_stats_read(void *port,
struct rte_port_ring_writer_nodrop {
struct rte_port_out_stats stats;
- struct rte_mbuf *tx_buf[RTE_PORT_IN_BURST_SIZE_MAX];
+ struct rte_mbuf *tx_buf[2 * RTE_PORT_IN_BURST_SIZE_MAX];
struct rte_ring *ring;
uint32_t tx_burst_sz;
uint32_t tx_buf_count;
--
1.7.1
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-04-01 14:58 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-04-01 14:58 [dpdk-dev] [PATCH 2/4] port: fix ring writer buffer overflow Sanford, Robert
-- strict thread matches above, loose matches on Subject: below --
2016-03-28 20:51 [dpdk-dev] [PATCH 0/4] port: fix and test bugs in tx_bulk ops Robert Sanford
2016-03-28 20:51 ` [dpdk-dev] [PATCH 2/4] port: fix ring writer buffer overflow Robert Sanford
2016-03-31 11:21 ` Dumitrescu, Cristian
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).