From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jasvinder Singh <jasvinder.singh@intel.com>
Subject: [PATCH] librte_port: fix the buffer overflow for ring
	writer
Date: Mon, 11 Apr 2016 18:55:37 +0100
Message-ID: <1460397337-237625-1-git-send-email-jasvinder.singh@intel.com>
Cc: cristian.dumitrescu@intel.com
To: dev@dpdk.org
Return-path: <dev-bounces@dpdk.org>
Received: from mga04.intel.com (mga04.intel.com [192.55.52.120])
 by dpdk.org (Postfix) with ESMTP id EA3AD2BE6
 for <dev@dpdk.org>; Mon, 11 Apr 2016 19:49:15 +0200 (CEST)
List-Id: patches and discussions about DPDK <dev.dpdk.org>
List-Unsubscribe: <http://dpdk.org/ml/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <http://dpdk.org/ml/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

Fixes the buffer overflow that occurs due to following;

1. When the input packet burst does not meet the conditions: (a) being
contiguous (first n bits set in pkts_mask, all the other bits cleared)
and (b) containing a full burst, i.e. at least tx_burst_sz packets
(n >= tx_burst_size). This is the slow(er) code path taken when local
variable expr != 0.
2. There are some packets already in the buffer.
3. The number of packets in the incoming burst (i.e. popcount(pkts_mask))
plus the number of packets already in the buffer exceeds the buffer size
(RTE_PORT_IN_BURST_SIZE_MAX, i.e. 64).

Fixes: bf6931b242f7 ("port: ring")
Fixes: 5f4cd47309d6 ("port: add ring writer nodrop")

Signed-off-by: Jasvinder Singh <jasvinder.singh@intel.com>
Acked-by: Cristian Dumitrescu <cristian.dumitrescu@intel.com>
---
 lib/librte_port/rte_port_ring.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/librte_port/rte_port_ring.c b/lib/librte_port/rte_port_ring.c
index d36e12d..3b9d3d0 100644
--- a/lib/librte_port/rte_port_ring.c
+++ b/lib/librte_port/rte_port_ring.c
@@ -179,7 +179,7 @@ rte_port_ring_reader_stats_read(void *port,
 struct rte_port_ring_writer {
 	struct rte_port_out_stats stats;
 
-	struct rte_mbuf *tx_buf[RTE_PORT_IN_BURST_SIZE_MAX];
+	struct rte_mbuf *tx_buf[2 * RTE_PORT_IN_BURST_SIZE_MAX];
 	struct rte_ring *ring;
 	uint32_t tx_burst_sz;
 	uint32_t tx_buf_count;
@@ -447,7 +447,7 @@ rte_port_ring_writer_stats_read(void *port,
 struct rte_port_ring_writer_nodrop {
 	struct rte_port_out_stats stats;
 
-	struct rte_mbuf *tx_buf[RTE_PORT_IN_BURST_SIZE_MAX];
+	struct rte_mbuf *tx_buf[2 * RTE_PORT_IN_BURST_SIZE_MAX];
 	struct rte_ring *ring;
 	uint32_t tx_burst_sz;
 	uint32_t tx_buf_count;
-- 
2.5.5