net/virtio: fix untrusted scalar value

The unscrutinized value may be incorrectly assumed to be within a certain
range by later operations.

In vhost_user_read: An unscrutinized value from an untrusted source used
in a trusted context - the value of sz_payload may be harmfull and we need
limit them to the max value of payload.

Coverity issue: 139601
Fixes: 6a84c37e3975 ("net/virtio-user: add vhost-user adapter layer")
Cc: stable@dpdk.org
Signed-off-by: Daniel Mrzyglod <danielx.t.mrzyglod@intel.com>
Acked-by: Jianfeng Tan <jianfeng.tan@intel.com>
Acked-by: Yuanhan Liu <yliu@fridaylinux.org>

diff --git a/drivers/net/virtio/virtio_user/vhost_user.c b/drivers/net/virtio/virtio_user/vhost_user.c
index 4ad7b21..97bd832 100644 (file)
--- a/drivers/net/virtio/virtio_user/vhost_user.c
+++ b/drivers/net/virtio/virtio_user/vhost_user.c
@@ -130,6 +130,10 @@ vhost_user_read(int fd, struct vhost_user_msg *msg)
        }
 
        sz_payload = msg->size;
+
+       if ((size_t)sz_payload > sizeof(msg->payload))
+               goto fail;
+
        if (sz_payload) {
                ret = recv(fd, (void *)((char *)msg + sz_hdr), sz_payload, 0);
                if (ret < sz_payload) {