[PATCH v3 2/2] vhost: improve error handling in desc_to_mbuf

Maxime Coquelin maxime.coquelin at redhat.com
Wed Oct 5 14:57:36 CEST 2022

Previous message (by thread): [PATCH] examples/pipeline: fix file close
Next message (by thread): [PATCH v7 2/3] timer: fix function to stop all timers
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


On 8/2/22 02:49, Claudio Fontana wrote:
> check when increasing vec_idx that it is still valid
> in the (buf_len < dev->vhost_hlen) case too.
> 
> Tested-by: Claudio Fontana <cfontana at suse.de>
> Signed-off-by: Claudio Fontana <cfontana at suse.de>
> ---
>   lib/vhost/virtio_net.c | 5 ++++-
>   1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/lib/vhost/virtio_net.c b/lib/vhost/virtio_net.c
> index eb19e54c2b..20ed951979 100644
> --- a/lib/vhost/virtio_net.c
> +++ b/lib/vhost/virtio_net.c
> @@ -2704,12 +2704,15 @@ desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq,
>   	if (unlikely(buf_len < dev->vhost_hlen)) {
>   		buf_offset = dev->vhost_hlen - buf_len;
>   		vec_idx++;
> +		if (unlikely(vec_idx >= nr_vec))
> +			goto error;
>   		buf_addr = buf_vec[vec_idx].buf_addr;
>   		buf_iova = buf_vec[vec_idx].buf_iova;
>   		buf_len = buf_vec[vec_idx].buf_len;
>   		buf_avail  = buf_len - buf_offset;
>   	} else if (buf_len == dev->vhost_hlen) {
> -		if (unlikely(++vec_idx >= nr_vec))
> +		vec_idx++;
> +		if (unlikely(vec_idx >= nr_vec))
>   			goto error;
>   		buf_addr = buf_vec[vec_idx].buf_addr;
>   		buf_iova = buf_vec[vec_idx].buf_iova;

This patch is no more required since fixes for CVE-2022-2132 takes care
of this:
dc1516e260a0 ("vhost: fix header spanned across more than two descriptors")
71bd0cc536ad ("vhost: discard too small descriptor chains")

Maxime

Previous message (by thread): [PATCH] examples/pipeline: fix file close
Next message (by thread): [PATCH v7 2/3] timer: fix function to stop all timers
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the dev mailing list