[dpdk-dev] [PATCH 2/4] port: fix ring writer buffer overflow

Sanford, Robert rsanford at akamai.com
Fri Apr 1 16:58:19 CEST 2016

Previous message: [dpdk-dev] [PATCH] ivshmem: avoid infinite loop when concatenating adjacent segments
Next message: [dpdk-dev] [PATCH v3 0/2] Multi-process support in hash library
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


>
>
>> -----Original Message-----
>> From: Robert Sanford [mailto:rsanford2 at gmail.com]
>> Sent: Monday, March 28, 2016 9:52 PM
>> To: dev at dpdk.org; Dumitrescu, Cristian <cristian.dumitrescu at intel.com>
>> Subject: [PATCH 2/4] port: fix ring writer buffer overflow
>> 
>> Ring writer tx_bulk functions may write past the end of tx_buf[].
>> Solution is to double the size of tx_buf[].
>> 
>> Signed-off-by: Robert Sanford <rsanford at akamai.com>
>> ---
>>  lib/librte_port/rte_port_ring.c |    4 ++--
>>  1 files changed, 2 insertions(+), 2 deletions(-)
>> 
>> diff --git a/lib/librte_port/rte_port_ring.c
>>b/lib/librte_port/rte_port_ring.c
>> index b847fea..765ecc5 100644
>> --- a/lib/librte_port/rte_port_ring.c
>> +++ b/lib/librte_port/rte_port_ring.c
>> @@ -179,7 +179,7 @@ rte_port_ring_reader_stats_read(void *port,
>>  struct rte_port_ring_writer {
>>  	struct rte_port_out_stats stats;
>> 
>> -	struct rte_mbuf *tx_buf[RTE_PORT_IN_BURST_SIZE_MAX];
>> +	struct rte_mbuf *tx_buf[2 * RTE_PORT_IN_BURST_SIZE_MAX];
>>  	struct rte_ring *ring;
>>  	uint32_t tx_burst_sz;
>>  	uint32_t tx_buf_count;
>> @@ -447,7 +447,7 @@ rte_port_ring_writer_stats_read(void *port,
>>  struct rte_port_ring_writer_nodrop {
>>  	struct rte_port_out_stats stats;
>> 
>> -	struct rte_mbuf *tx_buf[RTE_PORT_IN_BURST_SIZE_MAX];
>> +	struct rte_mbuf *tx_buf[2 * RTE_PORT_IN_BURST_SIZE_MAX];
>>  	struct rte_ring *ring;
>>  	uint32_t tx_burst_sz;
>>  	uint32_t tx_buf_count;
>> --
>> 1.7.1
>
>Hi Robert,
>
>How is the buffer overflow taking place?
>
>After looking long and hard, I spotted that buffer overflow can
>potentially take place when the following conditions are met:
>1. The input packet burst does not meet the conditions of (a) being
>contiguous (first n bits set in pkts_mask, all the other bits cleared)
>and (b) containing a full burst, i.e. at least tx_burst_sz packets (n >=
>tx_burst_size). This is the slow(er) code path taken when local variable
>expr != 0.
>2. There are some packets already in the buffer.
>3. The number of packets in the incoming burst (i.e. popcount(pkts_mask))
>plus the number of packets already in the buffer exceeds the buffer size
>(RTE_PORT_IN_BURST_SIZE_MAX, i.e. 64).
>
>Is this the buffer overflow scenario that you detected?
>
>Thanks,
>Cristian
>

Hi Cristian,

Thanks for looking at the patches.
Yes, the buffer overflow occurs in the scenario you described. The
additional testing steps in patch 1/4 expose the overflow. The first time
that I run the table_autotest, it fails. The second time, the process
crashes.

--
Robert

Previous message: [dpdk-dev] [PATCH] ivshmem: avoid infinite loop when concatenating adjacent segments
Next message: [dpdk-dev] [PATCH v3 0/2] Multi-process support in hash library
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the dev mailing list