From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 6BA34A00C2 for ; Mon, 18 Jul 2022 15:08:50 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 66CAF415D7; Mon, 18 Jul 2022 15:08:50 +0200 (CEST) Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by mails.dpdk.org (Postfix) with ESMTP id 6C1C94069F; Mon, 18 Jul 2022 15:08:48 +0200 (CEST) Received: from dggpemm500021.china.huawei.com (unknown [172.30.72.53]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4Lmj023Y1QzkX3V; Mon, 18 Jul 2022 21:06:26 +0800 (CST) Received: from dggpemm500008.china.huawei.com (7.185.36.136) by dggpemm500021.china.huawei.com (7.185.36.109) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Mon, 18 Jul 2022 21:08:46 +0800 Received: from localhost (10.174.242.157) by dggpemm500008.china.huawei.com (7.185.36.136) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Mon, 18 Jul 2022 21:08:45 +0800 From: Yunjian Wang To: CC: , , , , Yunjian Wang , Subject: [dpdk-dev] [PATCH] net/bonding: fix array overflow in Rx burst Date: Mon, 18 Jul 2022 21:08:44 +0800 Message-ID: <23483205275b4639324b82c1607cd867327bf783.1658146483.git.wangyunjian@huawei.com> X-Mailer: git-send-email 1.9.5.msysgit.1 In-Reply-To: <20210810064323.4161835-1-jilei8@huawei.com> References: <20210810064323.4161835-1-jilei8@huawei.com> MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [10.174.242.157] X-ClientProxiedBy: dggems704-chm.china.huawei.com (10.3.19.181) To dggpemm500008.china.huawei.com (7.185.36.136) X-CFilter-Loop: Reflected X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org In bond_ethdev_rx_burst() function, we check the validity of the 'active_slave' as this code: if (++active_slave == slave_count) active_slave = 0; However, the value of 'active_slave' maybe equal to 'slave_count', when a slave is down. This is wrong and it can cause buffer overflow. This patch fixes the issue by using '>=' instead of '=='. Fixes: e1110e977648 ("net/bonding: fix Rx slave fairness") Cc: stable@dpdk.org Signed-off-by: Lei Ji Signed-off-by: Yunjian Wang --- drivers/net/bonding/rte_eth_bond_pmd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/bonding/rte_eth_bond_pmd.c b/drivers/net/bonding/rte_eth_bond_pmd.c index 73e6972035..6f8a6da108 100644 --- a/drivers/net/bonding/rte_eth_bond_pmd.c +++ b/drivers/net/bonding/rte_eth_bond_pmd.c @@ -82,7 +82,7 @@ bond_ethdev_rx_burst(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts) bufs + num_rx_total, nb_pkts); num_rx_total += num_rx_slave; nb_pkts -= num_rx_slave; - if (++active_slave == slave_count) + if (++active_slave >= slave_count) active_slave = 0; } -- 2.27.0