[PATCH v2] net/af_packet: fix qpairs argument upper bound check

[Denis Sergeev]

The qpairs vdev argument was parsed with atoi(), which does no
validation: trailing garbage is ignored and a negative input such
as "-1" wraps to UINT_MAX when stored in the unsigned qpairs field,
passing the existing "< 1" check and reaching rte_pmd_init_internals()
as nb_queues. This causes excessive socket and memory allocation in
the per-queue loop.

Parse the value with strtoul() and reject non-numeric input, trailing
characters, negative values and values outside the
[1, RTE_MAX_QUEUES_PER_PORT] range.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: ccd37d341e8d ("net/af_packet: remove queue number limitation")

Signed-off-by: Denis Sergeev <denserg.edu at gmail.com>
---
v2:
  * Replace atoi() with strtoul() and validate the parsed value

 drivers/net/af_packet/rte_eth_af_packet.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/drivers/net/af_packet/rte_eth_af_packet.c b/drivers/net/af_packet/rte_eth_af_packet.c
index 8303ff5ca9..b7758a5c75 100644
--- a/drivers/net/af_packet/rte_eth_af_packet.c
+++ b/drivers/net/af_packet/rte_eth_af_packet.c
@@ -1168,13 +1168,20 @@ rte_eth_from_packet(struct rte_vdev_device *dev,
 	for (k_idx = 0; k_idx < kvlist->count; k_idx++) {
 		pair = &kvlist->pairs[k_idx];
 		if (strstr(pair->key, ETH_AF_PACKET_NUM_Q_ARG) != NULL) {
-			qpairs = atoi(pair->value);
-			if (qpairs < 1) {
+			char *endptr;
+			unsigned long num;
+
+			errno = 0;
+			num = strtoul(pair->value, &endptr, 10);
+			if (errno != 0 || endptr == pair->value ||
+					*endptr != '\0' || pair->value[0] == '-' ||
+					num < 1 || num > RTE_MAX_QUEUES_PER_PORT) {
 				PMD_LOG(ERR,
 					"%s: invalid qpairs value",
 					name);
 				return -1;
 			}
+			qpairs = num;
 			continue;
 		}
 		if (strstr(pair->key, ETH_AF_PACKET_BLOCKSIZE_ARG) != NULL) {
-- 
2.50.1