lib/vhost/virtio_net: possible stack overflow in virtio_dev_tx_async_packed()

Mike Cui cuicui at gmail.com
Wed Dec 28 21:37:46 CET 2022

Previous message (by thread): [PATCH v2] net/mlx5: add stub functions to null drv ops
Next message (by thread): Get started contributing to the DPDK
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

I believe there is a possible stack overflow in this code:
https://github.com/DPDK/dpdk/blob/main/lib/vhost/virtio_net.c#L3631

Here, pkts_prealloc is declared on the stack with size MAX_PKT_BURST, then
filled in by rte_pktmbuf_alloc_bulk() up to 'count' elements, but 'count'
is not capped at MAX_PKT_BURST like in many other code paths.

Suggested patch:

diff --git a/lib/vhost/virtio_net.c b/lib/vhost/virtio_net.c

index 9abf752f30..21f00317c7 100644

--- a/lib/vhost/virtio_net.c

+++ b/lib/vhost/virtio_net.c

@@ -3634,6 +3634,7 @@ virtio_dev_tx_async_packed(struct virtio_net *dev,
struct vhost_virtqueue *vq,



  async_iter_reset(async);



+ count = RTE_MIN(count, MAX_PKT_BURST);

  if (rte_pktmbuf_alloc_bulk(mbuf_pool, pkts_prealloc, count))

  goto out;
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mails.dpdk.org/archives/dev/attachments/20221228/fdecc162/attachment-0001.htm>

Previous message (by thread): [PATCH v2] net/mlx5: add stub functions to null drv ops
Next message (by thread): Get started contributing to the DPDK
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the dev mailing list