From mboxrd@z Thu Jan  1 00:00:00 1970
From: David Marchand <david.marchand@6wind.com>
Subject: [PATCH 1/3] mbuf: add sanity checks on segment metadata
Date: Mon, 10 Sep 2018 07:45:45 +0200
Message-ID: <20180910054547.18494-2-david.marchand@6wind.com>
References: <20180910054547.18494-1-david.marchand@6wind.com>
Cc: olivier.matz@6wind.com, wenzhuo.lu@intel.com, jingjing.wu@intel.com,
 bernard.iremonger@intel.com
To: dev@dpdk.org
Return-path: <dev-bounces@dpdk.org>
Received: from mail-wm0-f67.google.com (mail-wm0-f67.google.com [74.125.82.67])
 by dpdk.org (Postfix) with ESMTP id BAD114C91
 for <dev@dpdk.org>; Mon, 10 Sep 2018 07:45:55 +0200 (CEST)
Received: by mail-wm0-f67.google.com with SMTP id s12-v6so20149498wmc.0
 for <dev@dpdk.org>; Sun, 09 Sep 2018 22:45:55 -0700 (PDT)
In-Reply-To: <20180910054547.18494-1-david.marchand@6wind.com>
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

Add some basic checks on the segments offset and length metadata:
always funny to have a < 0 tailroom cast to uint16_t ;-).

Signed-off-by: David Marchand <david.marchand@6wind.com>
---
 lib/librte_mbuf/rte_mbuf.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lib/librte_mbuf/rte_mbuf.c b/lib/librte_mbuf/rte_mbuf.c
index e714c5a59..137a320ed 100644
--- a/lib/librte_mbuf/rte_mbuf.c
+++ b/lib/librte_mbuf/rte_mbuf.c
@@ -200,6 +200,11 @@ rte_mbuf_sanity_check(const struct rte_mbuf *m, int is_header)
 	pkt_len = m->pkt_len;
 
 	do {
+		if (m->data_off > m->buf_len)
+			rte_panic("data offset too big in mbuf segment\n");
+		if ((uint32_t)m->data_off + (uint32_t)m->data_len >
+				(uint32_t)m->buf_len)
+			rte_panic("data length too big in mbuf segment\n");
 		nb_segs -= 1;
 		pkt_len -= m->data_len;
 	} while ((m = m->next) != NULL);
-- 
2.17.1