[DPDK/ethdev Bug 1877] virtio: potential integer overflow

[bugzilla at dpdk.org]

http://bugs.dpdk.org/show_bug.cgi?id=1877

            Bug ID: 1877
           Summary: virtio: potential integer overflow
           Product: DPDK
           Version: 25.11
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: normal
          Priority: Normal
         Component: ethdev
          Assignee: dev at dpdk.org
          Reporter: stephen at networkplumber.org
  Target Milestone: ---

While reusing this code snippet in another driver, AI review noticed possible
overflow:

        if (hdr->flags & VIRTIO_NET_HDR_F_NEEDS_CSUM) {
                hdrlen = hdr_lens.l2_len + hdr_lens.l3_len + hdr_lens.l4_len;
                if (hdr->csum_start <= hdrlen && l4_supported) {
                        m->ol_flags |= RTE_MBUF_F_RX_L4_CKSUM_NONE;
                } else {
                        /* Unknown proto or tunnel, do sw cksum. We can assume
                         * the cksum field is in the first segment since the
                         * buffers we provided to the host are large enough.
                         * In case of SCTP, this will be wrong since it's a CRC
                         * but there's nothing we can do.
                         */
                        uint16_t csum = 0, off;

                        if (rte_raw_cksum_mbuf(m, hdr->csum_start,
                                rte_pktmbuf_pkt_len(m) - hdr->csum_start,
                                &csum) < 0)
                                return -EINVAL;
                        if (likely(csum != 0xffff))
                                csum = ~csum;
                        off = hdr->csum_offset + hdr->csum_start;

1. **Potential integer overflow** in eth_ioring_rx_offload
   ```c
   off = hdr->csum_offset + hdr->csum_start;
   ```
   Both are uint16_t from untrusted source; sum could overflow.

---

-- 
You are receiving this mail because:
You are the assignee for the bug.