From mboxrd@z Thu Jan  1 00:00:00 1970
From: Yuanhan Liu <yuanhan.liu@linux.intel.com>
Subject: Re: [PATCH] vhost: avoid buffer overflow in
	update_secure_len
Date: Wed, 18 Nov 2015 13:32:51 +0800
Message-ID: <20151118053251.GY2326@yliu-dev.sh.intel.com>
References: <1447315353-42152-1-git-send-email-rlane@bigswitch.com>
 <20151112092305.GI2326@yliu-dev.sh.intel.com>
 <CAGSMBPOLNsc-+_Zj7FgBhmD0kpUAoy3fu5urxN74YTfmE20Qzw@mail.gmail.com>
 <20151117132349.GT2326@yliu-dev.sh.intel.com>
 <CAGSMBPPrustS5-2BdGmkKFUTQBnHcb6NRJ43TYuL2zRVAWkWqw@mail.gmail.com>
 <20151118025655.GW2326@yliu-dev.sh.intel.com>
 <CAGSMBPNfKZidDsGpsmYCzW+38uUxwJRn4TB6s-spWt62T0ASag@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: dev@dpdk.org
To: Rich Lane <rich.lane@bigswitch.com>
Return-path: <dev-bounces@dpdk.org>
Received: from mga14.intel.com (mga14.intel.com [192.55.52.115])
 by dpdk.org (Postfix) with ESMTP id 177265A35
 for <dev@dpdk.org>; Wed, 18 Nov 2015 06:31:55 +0100 (CET)
Content-Disposition: inline
In-Reply-To: <CAGSMBPNfKZidDsGpsmYCzW+38uUxwJRn4TB6s-spWt62T0ASag@mail.gmail.com>
List-Id: patches and discussions about DPDK <dev.dpdk.org>
List-Unsubscribe: <http://dpdk.org/ml/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <http://dpdk.org/ml/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

On Tue, Nov 17, 2015 at 09:26:57PM -0800, Rich Lane wrote:
> On Tue, Nov 17, 2015 at 6:56 PM, Yuanhan Liu <yuanhan.liu@linux.intel.c=
om>
> wrote:
>=20
>     @@ -519,6 +526,8 @@ virtio_dev_merge_rx(struct virtio_net *dev, uin=
t16_t
>     queue_id,
>     =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=
 =A0 =A0 =A0 goto merge_rx_exit;
>     =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 } e=
lse {
>     =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=
 =A0 =A0 =A0 update_secure_len(vq, res_cur_idx,
>     &secure_len, &vec_idx);
>     +=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=
 =A0 =A0 =A0if (secure_len =3D=3D 0)
>     +=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=
 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto merge_rx_exit;
>     =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=
 =A0 =A0 =A0 res_cur_idx++;
>     =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 }
>     =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 } while (pkt_len > =
secure_len);
>=20
>=20
> I think this needs to check whether secure_len was modified. secure_len=
 is
> read-write and could have a nonzero value going into the call. It could=
 be
> cleaner to give update_secure_len a return value saying whether it was =
able to
> reserve any buffers.

Good suggestion.

	--yliu
>=20
> Otherwise looks good, thanks!