[dpdk-dev] [PATCH] net/bonding: fix array overflow in Rx burst

Yunjian Wang wangyunjian at huawei.com
Mon Jul 18 15:08:44 CEST 2022


In bond_ethdev_rx_burst() function, we check the validity of the
'active_slave' as this code:
if (++active_slave == slave_count)
	active_slave = 0;
However, the value of 'active_slave' maybe equal to 'slave_count',
when a slave is down. This is wrong and it can cause buffer overflow.
This patch fixes the issue by using '>=' instead of '=='.

Fixes: e1110e977648 ("net/bonding: fix Rx slave fairness")
Cc: stable at dpdk.org

Signed-off-by: Lei Ji <jilei8 at huawei.com>
Signed-off-by: Yunjian Wang <wangyunjian at huawei.com>
---
 drivers/net/bonding/rte_eth_bond_pmd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/bonding/rte_eth_bond_pmd.c b/drivers/net/bonding/rte_eth_bond_pmd.c
index 73e6972035..6f8a6da108 100644
--- a/drivers/net/bonding/rte_eth_bond_pmd.c
+++ b/drivers/net/bonding/rte_eth_bond_pmd.c
@@ -82,7 +82,7 @@ bond_ethdev_rx_burst(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts)
 					 bufs + num_rx_total, nb_pkts);
 		num_rx_total += num_rx_slave;
 		nb_pkts -= num_rx_slave;
-		if (++active_slave == slave_count)
+		if (++active_slave >= slave_count)
 			active_slave = 0;
 	}
 
-- 
2.27.0



More information about the stable mailing list