[dpdk-dev] [PATCH] net/bnxt: fix a possible stack smashing

yuanlinsi01 yuanlinsi01 at baidu.com
Thu Apr 30 12:08:16 CEST 2020


We see a stack smashing as a result of defensive code missing. Once the
nb_pkts is less than RTE_BNXT_DESCS_PER_LOOP, it will be modified to
zero after doing a floor align, and we can not exit the following
receiving packets loop. And the buffers will be overwrite, then the
stack frame was ruined.

Fix the problem by adding defensive code, once the nb_pkts is zero, just
directly return with no packets.

__GI___backtrace (array=0x7fcec7ac3f00, size=256) at ../sysdeps/x86_64/backtrace.c:103
catch_segfault () from /lib64/libSegFault.so
<signal handler called>
__GI___backtrace (array=array at entry=0x7fcec7ac62e0, size=size at entry=64) at ../sysdeps/x86_64/backtrace.c:103
backtrace_and_maps (do_abort=do_abort at entry=2, written=<optimized out>, fd=fd at entry=2) at ../sysdeps/unix/sysv/linux/libc_fatal.c:47
__libc_message (do_abort=do_abort at entry=2, fmt=fmt at entry=0x7fced6091c60 "*** %s ***: %s terminated\n") at ../sysdeps/posix/libc_fatal.c:172
__GI___fortify_fail (msg=msg at entry=0x7fced6091c48 "stack smashing detected") at fortify_fail.c:31
__stack_chk_fail () at stack_chk_fail.c:28
bnxt_recv_pkts_vec (rx_queue=0x14c571f00, rx_pkts=0x7fcec7ac6f28, nb_pkts=0)
rte_eth_rx_burst (port_id=1, queue_id=3, rx_pkts=0x7fcec7ac6f28, nb_pkts=1)

Signed-off-by: yuanlinsi01 <yuanlinsi01 at baidu.com>
Signed-off-by: rongdongsheng <rongdongsheng at baidu.com>
---
 drivers/net/bnxt/bnxt_rxtx_vec_sse.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/net/bnxt/bnxt_rxtx_vec_sse.c b/drivers/net/bnxt/bnxt_rxtx_vec_sse.c
index d0e7910e7..c4adccdbc 100644
--- a/drivers/net/bnxt/bnxt_rxtx_vec_sse.c
+++ b/drivers/net/bnxt/bnxt_rxtx_vec_sse.c
@@ -233,8 +233,13 @@ bnxt_recv_pkts_vec(void *rx_queue, struct rte_mbuf **rx_pkts,
 	/* Return no more than RTE_BNXT_MAX_RX_BURST per call. */
 	nb_pkts = RTE_MIN(nb_pkts, RTE_BNXT_MAX_RX_BURST);
 
-	/* Make nb_pkts an integer multiple of RTE_BNXT_DESCS_PER_LOOP */
+	/*
+	 * Make nb_pkts an integer multiple of RTE_BNXT_DESCS_PER_LOOP
+	 * nb_pkts < RTE_BNXT_DESCS_PER_LOOP, just return no packet
+	 */
 	nb_pkts = RTE_ALIGN_FLOOR(nb_pkts, RTE_BNXT_DESCS_PER_LOOP);
+	if (!nb_pkts)
+		return 0;
 
 	/* Handle RX burst request */
 	while (1) {
-- 
2.11.0



More information about the dev mailing list