From: Yuanhan Liu Date: Thu, 10 Mar 2016 04:32:45 +0000 (+0800) Subject: vhost: check for ring descriptors overflow X-Git-Tag: spdx-start~7434 X-Git-Url: http://git.droids-corp.org/?a=commitdiff_plain;h=c687b0b635e29c99f4dc7c91d84849130aeb89ac;p=dpdk.git vhost: check for ring descriptors overflow A malicious guest may easily forge some illegal vring desc buf. To make our vhost robust, we need make sure desc->next will not go beyond the vq->desc[] array. Suggested-by: Rich Lane Signed-off-by: Yuanhan Liu --- diff --git a/lib/librte_vhost/vhost_rxtx.c b/lib/librte_vhost/vhost_rxtx.c index c1760ff54c..b0d0dff288 100644 --- a/lib/librte_vhost/vhost_rxtx.c +++ b/lib/librte_vhost/vhost_rxtx.c @@ -183,6 +183,8 @@ copy_mbuf_to_desc(struct virtio_net *dev, struct vhost_virtqueue *vq, /* Room in vring buffer is not enough */ return -1; } + if (unlikely(desc->next >= vq->size)) + return -1; desc = &vq->desc[desc->next]; desc_addr = gpa_to_vva(dev, desc->addr); @@ -345,7 +347,7 @@ fill_vec_buf(struct vhost_virtqueue *vq, uint32_t avail_idx, uint32_t len = *allocated; while (1) { - if (vec_id >= BUF_VECTOR_MAX) + if (unlikely(vec_id >= BUF_VECTOR_MAX || idx >= vq->size)) return -1; len += vq->desc[idx].len; @@ -761,6 +763,8 @@ copy_desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq, while (desc_avail != 0 || (desc->flags & VRING_DESC_F_NEXT) != 0) { /* This desc reaches to its end, get the next one */ if (desc_avail == 0) { + if (unlikely(desc->next >= vq->size)) + return -1; desc = &vq->desc[desc->next]; desc_addr = gpa_to_vva(dev, desc->addr);