From mboxrd@z Thu Jan 1 00:00:00 1970 From: Maxime Coquelin Subject: [PATCH] vhost: fix off-by-one error on nr_desc check Date: Mon, 25 Jul 2016 16:09:58 +0200 Message-ID: <1469455798-19790-1-git-send-email-maxime.coquelin@redhat.com> Cc: dev@dpdk.org, Maxime Coquelin To: huawei.xie@intel.com, yuanhan.liu@linux.intel.com Return-path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by dpdk.org (Postfix) with ESMTP id 324212C01 for ; Mon, 25 Jul 2016 16:10:10 +0200 (CEST) List-Id: patches and discussions about DPDK List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" nr_desc is not an index but the number of descriptors, so can be equal to the virtqueue size. Fixes: a436f53ebfeb ("vhost: avoid dead loop chain") Cc: Yuanhan Liu Signed-off-by: Maxime Coquelin --- Hi Yuanhan, I faced the bug while testing my indirect descriptor patch, it happens as soon as the number of chained descritors is above 2. But the bug may in theory also be faced with normal descriptors, so it might be good to have it 16.07? Regards, Maxime --- lib/librte_vhost/vhost_rxtx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/librte_vhost/vhost_rxtx.c b/lib/librte_vhost/vhost_rxtx.c index bc00518..08a73fd 100644 --- a/lib/librte_vhost/vhost_rxtx.c +++ b/lib/librte_vhost/vhost_rxtx.c @@ -748,7 +748,7 @@ copy_desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq, break; if (unlikely(desc->next >= vq->size || - ++nr_desc >= vq->size)) + ++nr_desc > vq->size)) return -1; desc = &vq->desc[desc->next]; -- 2.7.4