From mboxrd@z Thu Jan  1 00:00:00 1970
From: "John W. Linville" <linville@tuxdriver.com>
Subject: Re: [PATCH v2 09/13] PMD/af_packet: guard against buffer
 overruns in TX path
Date: Tue, 13 Dec 2016 11:06:06 -0500
Message-ID: <20161213160605.GB27914@tuxdriver.com>
References: <9c5b028d62c8422031e451c91232d34e562cf4cf.1481590851.git.mirq-linux@rere.qmqm.pl>
 <20161213010927.9B12CFA30@dpdk.org>
 <9c988a6bcc6c4179685cce5ae0560f850e7fad2e.1481592081.git.mirq-linux@rere.qmqm.pl>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Cc: dev@dpdk.org
To: =?utf-8?B?TWljaGHFgiBNaXJvc8WCYXc=?= <mirq-linux@rere.qmqm.pl>
Return-path: <dev-bounces@dpdk.org>
Received: from smtp.tuxdriver.com (charlotte.tuxdriver.com [70.61.120.58])
 by dpdk.org (Postfix) with ESMTP id C6FE9106A
 for <dev@dpdk.org>; Tue, 13 Dec 2016 17:15:13 +0100 (CET)
Content-Disposition: inline
In-Reply-To: <9c988a6bcc6c4179685cce5ae0560f850e7fad2e.1481592081.git.mirq-linux@rere.qmqm.pl>
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <http://dpdk.org/ml/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <http://dpdk.org/ml/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

On Tue, Dec 13, 2016 at 02:28:34AM +0100, Michał Mirosław wrote:
> Signed-off-by: Michał Mirosław <michal.miroslaw@atendesoftware.pl>

Acked-by: John W. Linville <linville@tuxdriver.com>

> ---
>  drivers/net/af_packet/rte_eth_af_packet.c | 20 +++++++++++++++-----
>  1 file changed, 15 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/net/af_packet/rte_eth_af_packet.c b/drivers/net/af_packet/rte_eth_af_packet.c
> index 5599e02..fc2dc4a 100644
> --- a/drivers/net/af_packet/rte_eth_af_packet.c
> +++ b/drivers/net/af_packet/rte_eth_af_packet.c
> @@ -83,6 +83,7 @@ struct pkt_rx_queue {
>  
>  struct pkt_tx_queue {
>  	int sockfd;
> +	unsigned int frame_data_size;
>  
>  	struct iovec *rd;
>  	uint8_t *map;
> @@ -206,13 +207,20 @@ eth_af_packet_tx(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts)
>  	framenum = pkt_q->framenum;
>  	ppd = (struct tpacket2_hdr *) pkt_q->rd[framenum].iov_base;
>  	for (i = 0; i < nb_pkts; i++) {
> +		mbuf = *bufs++;
> +
> +		/* drop oversized packets */
> +		if (rte_pktmbuf_data_len(mbuf) > pkt_q->frame_data_size) {
> +			rte_pktmbuf_free(mbuf);
> +			continue;
> +		}
> +
>  		/* point at the next incoming frame */
>  		if ((ppd->tp_status != TP_STATUS_AVAILABLE) &&
>  		    (poll(&pfd, 1, -1) < 0))
> -				continue;
> +			break;
>  
>  		/* copy the tx frame data */
> -		mbuf = bufs[num_tx];
>  		pbuf = (uint8_t *) ppd + TPACKET2_HDRLEN -
>  			sizeof(struct sockaddr_ll);
>  		memcpy(pbuf, rte_pktmbuf_mtod(mbuf, void*), rte_pktmbuf_data_len(mbuf));
> @@ -231,13 +239,13 @@ eth_af_packet_tx(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts)
>  
>  	/* kick-off transmits */
>  	if (sendto(pkt_q->sockfd, NULL, 0, MSG_DONTWAIT, NULL, 0) == -1)
> -		return 0; /* error sending -- no packets transmitted */
> +		num_tx = 0; /* error sending -- no packets transmitted */
>  
>  	pkt_q->framenum = framenum;
>  	pkt_q->tx_pkts += num_tx;
> -	pkt_q->err_pkts += nb_pkts - num_tx;
> +	pkt_q->err_pkts += i - num_tx;
>  	pkt_q->tx_bytes += num_tx_bytes;
> -	return num_tx;
> +	return i;
>  }
>  
>  static int
> @@ -634,6 +642,8 @@ rte_pmd_init_internals(const char *name,
>  
>  		tx_queue = &((*internals)->tx_queue[q]);
>  		tx_queue->framecount = req->tp_frame_nr;
> +		tx_queue->frame_data_size = req->tp_frame_size;
> +		tx_queue->frame_data_size -= TPACKET2_HDRLEN - sizeof(struct sockaddr_ll);
>  
>  		tx_queue->map = rx_queue->map + req->tp_block_size * req->tp_block_nr;
>  
> -- 
> 2.10.2
> 
> 

-- 
John W. Linville		Someday the world will need a hero, and you
linville@tuxdriver.com			might be all we have.  Be ready.