summaryrefslogtreecommitdiff
path: root/lib/librte_vhost
diff options
context:
space:
mode:
authorYuanhan Liu <yuanhan.liu@linux.intel.com>2016-03-10 12:32:46 +0800
committerThomas Monjalon <thomas.monjalon@6wind.com>2016-03-15 00:07:32 +0100
commita436f53ebfeb5a76df1e2248db8064e9dab8e739 (patch)
tree680fe0cdd613814d480962d2e9cc474cf7aed79c /lib/librte_vhost
parentc687b0b635e29c99f4dc7c91d84849130aeb89ac (diff)
downloaddpdk-a436f53ebfeb5a76df1e2248db8064e9dab8e739.zip
dpdk-a436f53ebfeb5a76df1e2248db8064e9dab8e739.tar.gz
dpdk-a436f53ebfeb5a76df1e2248db8064e9dab8e739.tar.xz
vhost: avoid dead loop chain
If a malicious guest forges a dead loop chain, it could lead to a dead loop of copying the desc buf to mbuf, which results to all mbuf being exhausted. Add a var nr_desc to avoid such case. Suggested-by: Huawei Xie <huawei.xie@intel.com> Signed-off-by: Yuanhan Liu <yuanhan.liu@linux.intel.com>
Diffstat (limited to 'lib/librte_vhost')
-rw-r--r--lib/librte_vhost/vhost_rxtx.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/librte_vhost/vhost_rxtx.c b/lib/librte_vhost/vhost_rxtx.c
index b0d0dff..ca939d6 100644
--- a/lib/librte_vhost/vhost_rxtx.c
+++ b/lib/librte_vhost/vhost_rxtx.c
@@ -745,6 +745,8 @@ copy_desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq,
uint32_t cpy_len;
struct rte_mbuf *cur = m, *prev = m;
struct virtio_net_hdr *hdr;
+ /* A counter to avoid desc dead loop chain */
+ uint32_t nr_desc = 1;
desc = &vq->desc[desc_idx];
if (unlikely(desc->len < vq->vhost_hlen))
@@ -763,7 +765,8 @@ copy_desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq,
while (desc_avail != 0 || (desc->flags & VRING_DESC_F_NEXT) != 0) {
/* This desc reaches to its end, get the next one */
if (desc_avail == 0) {
- if (unlikely(desc->next >= vq->size))
+ if (unlikely(desc->next >= vq->size ||
+ ++nr_desc >= vq->size))
return -1;
desc = &vq->desc[desc->next];