* [DPDK/ethdev Bug 1877] virtio: potential integer overflow
@ 2026-02-04 17:31 bugzilla
0 siblings, 0 replies; only message in thread
From: bugzilla @ 2026-02-04 17:31 UTC (permalink / raw)
To: dev
http://bugs.dpdk.org/show_bug.cgi?id=1877
Bug ID: 1877
Summary: virtio: potential integer overflow
Product: DPDK
Version: 25.11
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: Normal
Component: ethdev
Assignee: dev@dpdk.org
Reporter: stephen@networkplumber.org
Target Milestone: ---
While reusing this code snippet in another driver, AI review noticed possible
overflow:
if (hdr->flags & VIRTIO_NET_HDR_F_NEEDS_CSUM) {
hdrlen = hdr_lens.l2_len + hdr_lens.l3_len + hdr_lens.l4_len;
if (hdr->csum_start <= hdrlen && l4_supported) {
m->ol_flags |= RTE_MBUF_F_RX_L4_CKSUM_NONE;
} else {
/* Unknown proto or tunnel, do sw cksum. We can assume
* the cksum field is in the first segment since the
* buffers we provided to the host are large enough.
* In case of SCTP, this will be wrong since it's a CRC
* but there's nothing we can do.
*/
uint16_t csum = 0, off;
if (rte_raw_cksum_mbuf(m, hdr->csum_start,
rte_pktmbuf_pkt_len(m) - hdr->csum_start,
&csum) < 0)
return -EINVAL;
if (likely(csum != 0xffff))
csum = ~csum;
off = hdr->csum_offset + hdr->csum_start;
1. **Potential integer overflow** in eth_ioring_rx_offload
```c
off = hdr->csum_offset + hdr->csum_start;
```
Both are uint16_t from untrusted source; sum could overflow.
---
--
You are receiving this mail because:
You are the assignee for the bug.
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2026-02-04 17:31 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-04 17:31 [DPDK/ethdev Bug 1877] virtio: potential integer overflow bugzilla
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.