From mboxrd@z Thu Jan  1 00:00:00 1970
From: David Marchand <david.marchand@redhat.com>
Subject: [PATCH v2 1/3] mbuf: add sanity checks on segment
	metadata
Date: Mon,  7 Jan 2019 09:57:10 +0100
Message-ID: <1546851432-19397-2-git-send-email-david.marchand@redhat.com>
References: <1546851432-19397-1-git-send-email-david.marchand@redhat.com>
Cc: olivier.matz@6wind.com, yskoh@mellanox.com, arybchenko@solarflare.com,
 bernard.iremonger@intel.com, David Marchand <david.marchand@6wind.com>
To: dev@dpdk.org
Return-path: <dev-bounces@dpdk.org>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
 by dpdk.org (Postfix) with ESMTP id CA3F01B471
 for <dev@dpdk.org>; Mon,  7 Jan 2019 09:57:21 +0100 (CET)
In-Reply-To: <1546851432-19397-1-git-send-email-david.marchand@redhat.com>
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

From: David Marchand <david.marchand@6wind.com>

Add some basic checks on the segments offset and length metadata:
always funny to have a < 0 tailroom cast to uint16_t ;-).

Signed-off-by: David Marchand <david.marchand@6wind.com>
Signed-off-by: David Marchand <david.marchand@redhat.com>
Acked-by: Olivier Matz <olivier.matz@6wind.com>
---
 lib/librte_mbuf/rte_mbuf.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/librte_mbuf/rte_mbuf.c b/lib/librte_mbuf/rte_mbuf.c
index 9790b4f..3bbd3f5 100644
--- a/lib/librte_mbuf/rte_mbuf.c
+++ b/lib/librte_mbuf/rte_mbuf.c
@@ -200,6 +200,10 @@ struct rte_mempool *
 	pkt_len = m->pkt_len;
 
 	do {
+		if (m->data_off > m->buf_len)
+			rte_panic("data offset too big in mbuf segment\n");
+		if (m->data_off + m->data_len > m->buf_len)
+			rte_panic("data length too big in mbuf segment\n");
 		nb_segs -= 1;
 		pkt_len -= m->data_len;
 	} while ((m = m->next) != NULL);
-- 
1.8.3.1