From mboxrd@z Thu Jan  1 00:00:00 1970
From: Yuanhan Liu <yuanhan.liu@linux.intel.com>
Subject: Re: A question about the function fill_vec_buf
Date: Mon, 16 Jan 2017 15:04:25 +0800
Message-ID: <20170116070425.GM9770@yliu-dev.sh.intel.com>
References: <34EFBCA9F01B0748BEB6B629CE643AE60BA9405D@DGGEMA505-MBX.china.huawei.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Cc: "huawei.xie@intel.com" <huawei.xie@intel.com>,
 "dev@dpdk.org" <dev@dpdk.org>
To: wangyunjian <wangyunjian@huawei.com>
Return-path: <dev-bounces@dpdk.org>
Received: from mga07.intel.com (mga07.intel.com [134.134.136.100])
 by dpdk.org (Postfix) with ESMTP id 5E6B4108F
 for <dev@dpdk.org>; Mon, 16 Jan 2017 08:02:18 +0100 (CET)
Content-Disposition: inline
In-Reply-To: <34EFBCA9F01B0748BEB6B629CE643AE60BA9405D@DGGEMA505-MBX.china.huawei.com>
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <http://dpdk.org/ml/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <http://dpdk.org/ml/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

On Fri, Jan 13, 2017 at 10:20:55AM +0000, wangyunjian wrote:
> In function fill_vec_buf, it will happen uint32_t cast to uint16_t, when the
> *desc_chain_len is assigned by the len.
> 
> This maybe result in data truncation.

Do you have a real example?

I don't think data truncation could happen here (when this piece of code
just handles virtio-net part): a packet length could not exceed 64K.

	--yliu
> 
>  
> 
> static inline int __attribute__((always_inline))
> 
> fill_vec_buf(struct virtio_net *dev, struct vhost_virtqueue *vq,
> 
>                                                 uint32_t avail_idx, uint32_t
> *vec_idx,
> 
>                                                 struct buf_vector *buf_vec,
> uint16_t *desc_chain_head,
> 
>                                                 uint16_t *desc_chain_len)
>                                                                         --The
> desc_chain_len is defined uint16_t.
> 
> {
> 
>                 uint16_t idx = vq->avail->ring[avail_idx & (vq->size - 1)];
> 
>                 uint32_t vec_id = *vec_idx;
> 
>                 uint32_t len    = 0;
>                                                                                                                           
> --The len is defined uint32_t.
> 
>                 struct vring_desc *descs = vq->desc;
> 
>  
> 
>                 *desc_chain_head = idx;
> 
>                 …
> 
>  
> 
>                 while (1) {
> 
>                                 if (unlikely(vec_id >= BUF_VECTOR_MAX || idx >=
> vq->size))
> 
>                                                 return -1;
> 
>  
> 
>                                 len += descs[idx].len; 
> 
>                                 buf_vec[vec_id].buf_addr = descs[idx].addr;
> 
>                                 buf_vec[vec_id].buf_len  = descs[idx].len;
> 
>                                 buf_vec[vec_id].desc_idx = idx;
> 
>                                 vec_id++;
> 
>  
> 
>                                 if ((descs[idx].flags & VRING_DESC_F_NEXT) ==
> 0)
> 
>                                                 break;
> 
>  
> 
>                                 idx = descs[idx].next;
> 
>                 }
> 
>  
> 
>                 *desc_chain_len = len;
>                                                       
>                                                       --Here, uint32_t cast to
> uint16_t.
> 
>                 *vec_idx = vec_id;
> 
>  
> 
>                 return 0;
> 
> }
>