vhost: avoid dead loop chain

If a malicious guest forges a dead loop chain, it could lead to a dead
loop of copying the desc buf to mbuf, which results to all mbuf being
exhausted.

Add a var nr_desc to avoid such case.

Suggested-by: Huawei Xie <huawei.xie@intel.com>
Signed-off-by: Yuanhan Liu <yuanhan.liu@linux.intel.com>

diff --git a/lib/librte_vhost/vhost_rxtx.c b/lib/librte_vhost/vhost_rxtx.c
index b0d0dff..ca939d6 100644 (file)
--- a/lib/librte_vhost/vhost_rxtx.c
+++ b/lib/librte_vhost/vhost_rxtx.c
@@ -745,6 +745,8 @@ copy_desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq,
        uint32_t cpy_len;
        struct rte_mbuf *cur = m, *prev = m;
        struct virtio_net_hdr *hdr;
+       /* A counter to avoid desc dead loop chain */
+       uint32_t nr_desc = 1;
 
        desc = &vq->desc[desc_idx];
        if (unlikely(desc->len < vq->vhost_hlen))
@@ -763,7 +765,8 @@ copy_desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq,
        while (desc_avail != 0 || (desc->flags & VRING_DESC_F_NEXT) != 0) {
                /* This desc reaches to its end, get the next one */
                if (desc_avail == 0) {
-                       if (unlikely(desc->next >= vq->size))
+                       if (unlikely(desc->next >= vq->size ||
+                                    ++nr_desc >= vq->size))
                                return -1;
                        desc = &vq->desc[desc->next];