From d2475e890307a6edd9fdfcfc83b82d543881545e Mon Sep 17 00:00:00 2001 From: Maxime Coquelin Date: Mon, 19 Oct 2020 19:34:13 +0200 Subject: [PATCH] vhost: validate index in inflight API This patch validates the queue index parameter, in order to ensure neither out-of-bound accesses nor NULL pointer dereferencing happen. Fixes: 4d891f77ddfa ("vhost: add APIs to get inflight ring") Cc: stable@dpdk.org Signed-off-by: Maxime Coquelin Reviewed-by: Chenbo Xia --- lib/librte_vhost/vhost.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/lib/librte_vhost/vhost.c b/lib/librte_vhost/vhost.c index b9afe46ca2..f78bdfcc94 100644 --- a/lib/librte_vhost/vhost.c +++ b/lib/librte_vhost/vhost.c @@ -1523,15 +1523,23 @@ rte_vhost_get_vring_base_from_inflight(int vid, uint16_t *last_used_idx) { struct rte_vhost_inflight_info_packed *inflight_info; + struct vhost_virtqueue *vq; struct virtio_net *dev = get_device(vid); if (dev == NULL || last_avail_idx == NULL || last_used_idx == NULL) return -1; + if (queue_id >= VHOST_MAX_VRING) + return -1; + + vq = dev->virtqueue[queue_id]; + if (!vq) + return -1; + if (!vq_is_packed(dev)) return -1; - inflight_info = dev->virtqueue[queue_id]->inflight_packed; + inflight_info = vq->inflight_packed; if (!inflight_info) return -1; -- 2.20.1