From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ouyang Changchun <changchun.ouyang-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
Subject: [PATCH v4 3/3] vhost: Check offset value
Date: Wed,  5 Nov 2014 15:10:35 +0800
Message-ID: <1415171435-24252-4-git-send-email-changchun.ouyang@intel.com>
References: <1415084708-8192-1-git-send-email-changchun.ouyang@intel.com>
 <1415171435-24252-1-git-send-email-changchun.ouyang@intel.com>
To: dev-VfR2kkLFssw@public.gmane.org
Return-path: <dev-bounces-VfR2kkLFssw@public.gmane.org>
In-Reply-To: <1415171435-24252-1-git-send-email-changchun.ouyang-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
List-Id: patches and discussions about DPDK <dev.dpdk.org>
List-Unsubscribe: <http://dpdk.org/ml/options/dev>,
 <mailto:dev-request-VfR2kkLFssw@public.gmane.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev-VfR2kkLFssw@public.gmane.org>
List-Help: <mailto:dev-request-VfR2kkLFssw@public.gmane.org?subject=help>
List-Subscribe: <http://dpdk.org/ml/listinfo/dev>,
 <mailto:dev-request-VfR2kkLFssw@public.gmane.org?subject=subscribe>
Errors-To: dev-bounces-VfR2kkLFssw@public.gmane.org
Sender: "dev" <dev-bounces-VfR2kkLFssw@public.gmane.org>

This patch checks the packet length offset value, and checks if the extra bytes inside buffer
cross page boundary.

Signed-off-by: Changchun Ouyang <changchun.ouyang-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
---
 examples/vhost/main.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/examples/vhost/main.c b/examples/vhost/main.c
index 2916313..a93f7a0 100644
--- a/examples/vhost/main.c
+++ b/examples/vhost/main.c
@@ -1110,7 +1110,8 @@ virtio_tx_route(struct vhost_dev *vdev, struct rte_mbuf *m, uint16_t vlan_tag)
 	}
 
 	if (vm2vm_mode == VM2VM_HARDWARE) {
-		if (find_local_dest(dev, m, &offset, &vlan_tag) != 0) {
+		if (find_local_dest(dev, m, &offset, &vlan_tag) != 0 ||
+			offset > rte_pktmbuf_tailroom(m)) {
 			rte_pktmbuf_free(m);
 			return;
 		}
@@ -1896,7 +1897,9 @@ virtio_dev_tx_zcp(struct virtio_net *dev)
 
 		/* Buffer address translation. */
 		buff_addr = gpa_to_vva(dev, desc->addr);
-		phys_addr = gpa_to_hpa(vdev, desc->addr, desc->len, &addr_type);
+		/* Need check extra VLAN_HLEN size for inserting VLAN tag */
+		phys_addr = gpa_to_hpa(vdev, desc->addr, desc->len + VLAN_HLEN,
+			&addr_type);
 
 		if (likely(packet_success < (free_entries - 1)))
 			/* Prefetch descriptor index. */
-- 
1.8.4.2