From: Tiwei Bie <tiwei.bie@intel.com>
Date: Mon, 21 Jan 2019 08:12:18 +0000 (+0800)
Subject: vhost: fix access for indirect descriptors
X-Git-Url: http://git.droids-corp.org/?a=commitdiff_plain;h=48006390003b81f6d5c7b78e3f02ed49d1049945;p=dpdk.git

vhost: fix access for indirect descriptors

Fix a possible out of bound access which may happen when handling
indirect descs in split ring.

Fixes: 1be4ebb1c464 ("vhost: support indirect descriptor in mergeable Rx")
Cc: stable@dpdk.org

Reported-by: Haiyue Wang <haiyue.wang@intel.com>
Signed-off-by: Tiwei Bie <tiwei.bie@intel.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
---

diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c
index 0893a1d045..37a4c00d21 100644
--- a/lib/librte_vhost/virtio_net.c
+++ b/lib/librte_vhost/virtio_net.c
@@ -310,6 +310,7 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
 	uint32_t len    = 0;
 	uint64_t dlen;
 	uint32_t nr_descs = vq->size;
+	uint32_t cnt    = 0;
 	struct vring_desc *descs = vq->desc;
 	struct vring_desc *idesc = NULL;
 
@@ -348,12 +349,7 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
 	}
 
 	while (1) {
-		if (unlikely(idx >= vq->size)) {
-			free_ind_table(idesc);
-			return -1;
-		}
-
-		if (unlikely(nr_descs-- == 0)) {
+		if (unlikely(idx >= nr_descs || cnt++ >= nr_descs)) {
 			free_ind_table(idesc);
 			return -1;
 		}