vhost: fix split ring potential buffer overflow

In vhost datapath, descriptor's length are mostly used in two coherent
operations. First step is used for address translation, second step is
used for memory transaction from guest to host. But the interval between
two steps will give a window for malicious guest, in which can change
descriptor length after vhost calculated buffer size. Thus may lead to
buffer overflow in vhost side. This potential risk can be eliminated by
accessing the descriptor length once.

Fixes: 1be4ebb1c464 ("vhost: support indirect descriptor in mergeable Rx")
Cc: stable@dpdk.org
Signed-off-by: Marvin Liu <yong.liu@intel.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>

diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c
index 3d8e29df098012e51003708922cbe6032f0ae12b..852b4ec9f518e5039f5f728e67a755c9169f4d2b 100644 (file)
--- a/lib/librte_vhost/virtio_net.c
+++ b/lib/librte_vhost/virtio_net.c
@@ -548,10 +548,11 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
                        return -1;
                }
 
-               len += descs[idx].len;
+               dlen = descs[idx].len;
+               len += dlen;
 
                if (unlikely(map_one_desc(dev, vq, buf_vec, &vec_id,
-                                               descs[idx].addr, descs[idx].len,
+                                               descs[idx].addr, dlen,
                                                perm))) {
                        free_ind_table(idesc);
                        return -1;