* [PATCH] net/memif: fix buffer overflow in zero copy Rx
@ 2024-06-28 19:45 Mihai Brodschi
0 siblings, 0 replies; only message in thread
From: Mihai Brodschi @ 2024-06-28 19:45 UTC (permalink / raw)
To: Jakub Grajciar, Ferruh Yigit; +Cc: dev, Mihai Brodschi, stable
[-- Attachment #1: Type: text/plain, Size: 2684 bytes --]
rte_pktmbuf_alloc_bulk is called by the zero-copy receiver to allocate
new mbufs to be provided to the sender. The allocated mbuf pointers
are stored in a ring, but the alloc function doesn't implement index
wrap-around, so it writes past the end of the array. This results in
memory corruption and duplicate mbufs being received.
Allocate 2x the space for the mbuf ring, so that the alloc function
has a contiguous array to write to, then copy the excess entries
to the start of the array.
Fixes: 43b815d88188 ("net/memif: support zero-copy slave")
Cc: stable@dpdk.org
Signed-off-by: Mihai Brodschi <mihai.brodschi@broadcom.com>
---
drivers/net/memif/rte_eth_memif.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/drivers/net/memif/rte_eth_memif.c
b/drivers/net/memif/rte_eth_memif.c
index 16da22b5c6..3491c53cf1 100644
--- a/drivers/net/memif/rte_eth_memif.c
+++ b/drivers/net/memif/rte_eth_memif.c
@@ -600,6 +600,10 @@ eth_memif_rx_zc(void *queue, struct rte_mbuf
**bufs, uint16_t nb_pkts)
ret = rte_pktmbuf_alloc_bulk(mq->mempool, &mq->buffers[head & mask],
n_slots);
if (unlikely(ret < 0))
goto no_free_mbufs;
+ if (unlikely(n_slots > ring_size - (head & mask))) {
+ rte_memcpy(mq->buffers, &mq->buffers[ring_size],
+ (n_slots + (head & mask) - ring_size) * sizeof(struct rte_mbuf *));
+ }
while (n_slots--) {
s0 = head++ & mask;
@@ -1245,8 +1249,12 @@ memif_init_queues(struct rte_eth_dev *dev)
}
mq->buffers = NULL;
if (pmd->flags & ETH_MEMIF_FLAG_ZERO_COPY) {
+ /*
+ * Allocate 2x ring_size to reserve a contiguous array for
+ * rte_pktmbuf_alloc_bulk (to store allocated mbufs).
+ */
mq->buffers = rte_zmalloc("bufs", sizeof(struct rte_mbuf *) *
- (1 << mq->log2_ring_size), 0);
+ (1 << (mq->log2_ring_size + 1)), 0);
if (mq->buffers == NULL)
return -ENOMEM;
}
--
2.43.0
--
This electronic communication and the information and any files transmitted
with it, or attached to it, are confidential and are intended solely for
the use of the individual or entity to whom it is addressed and may contain
information that is confidential, legally privileged, protected by privacy
laws, or otherwise restricted from disclosure to anyone else. If you are
not the intended recipient or the person responsible for delivering the
e-mail to the intended recipient, you are hereby notified that any use,
copying, distributing, dissemination, forwarding, printing, or copying of
this e-mail is strictly prohibited. If you received this e-mail in error,
please return the e-mail to the sender, delete it from your computer, and
destroy any printed copy of it.
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4215 bytes --]
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2024-06-28 19:45 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-06-28 19:45 [PATCH] net/memif: fix buffer overflow in zero copy Rx Mihai Brodschi
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).