[PATCH] net/iavf: reject oversized frames in prep callback

[Ciara Loftus]

Currently, only the segment count is checked for non-TSO packets. There
is no upper bound placed on the packet length, so packets larger than
`IAVF_FRAME_SIZE_MAX` pass the prepare callback unchallenged and are
submitted to the hardware. Sending such frames can trigger Malicious
Driver Detection (MDD) on the PF. Fix this by adding a packet length
size check on the non-TSO path.

Fixes: 19ee91c6bd9a ("net/iavf: check illegal packet sizes")
Cc: stable at dpdk.org

Signed-off-by: Ciara Loftus <ciara.loftus at intel.com>
---
 drivers/net/intel/iavf/iavf_rxtx.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/intel/iavf/iavf_rxtx.c b/drivers/net/intel/iavf/iavf_rxtx.c
index decbc75142..a57af7faed 100644
--- a/drivers/net/intel/iavf/iavf_rxtx.c
+++ b/drivers/net/intel/iavf/iavf_rxtx.c
@@ -3227,9 +3227,9 @@ iavf_prep_pkts(__rte_unused void *tx_queue, struct rte_mbuf **tx_pkts,
 		m = tx_pkts[i];
 		ol_flags = m->ol_flags;
 
-		/* Check condition for nb_segs > IAVF_TX_MAX_MTU_SEG. */
+		/* Validate segment count and packet length. */
 		if (!(ol_flags & (RTE_MBUF_F_TX_TCP_SEG | RTE_MBUF_F_TX_UDP_SEG))) {
-			if (m->nb_segs > IAVF_TX_MAX_MTU_SEG) {
+			if (m->nb_segs > IAVF_TX_MAX_MTU_SEG || m->pkt_len > IAVF_FRAME_SIZE_MAX) {
 				rte_errno = EINVAL;
 				return i;
 			}
-- 
2.43.0