[PATCH v3 8/8] vhost: avoid dead loop chain.
From: Yuanhan Liu <hidden>
Date: 2016-03-10 04:30:16
Subsystem:
library code, the rest · Maintainers:
Andrew Morton, Linus Torvalds
From: Yuanhan Liu <hidden>
Date: 2016-03-10 04:30:16
Subsystem:
library code, the rest · Maintainers:
Andrew Morton, Linus Torvalds
If a malicious guest forges a dead loop chain, it could lead to a dead loop of copying the desc buf to mbuf, which results to all mbuf being exhausted. Add a var nr_desc to avoid such case. Suggested-by: Huawei Xie <redacted> Signed-off-by: Yuanhan Liu <redacted> --- lib/librte_vhost/vhost_rxtx.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/lib/librte_vhost/vhost_rxtx.c b/lib/librte_vhost/vhost_rxtx.c
index 43db6c7..73fab7e 100644
--- a/lib/librte_vhost/vhost_rxtx.c
+++ b/lib/librte_vhost/vhost_rxtx.c@@ -743,6 +743,8 @@ copy_desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq, uint32_t cpy_len; struct rte_mbuf *cur = m, *prev = m; struct virtio_net_hdr *hdr; + /* A counter to avoid desc dead loop chain */ + uint32_t nr_desc = 1; desc = &vq->desc[desc_idx]; if (unlikely(desc->len < vq->vhost_hlen))
@@ -761,7 +763,8 @@ copy_desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq, while (desc_avail != 0 || (desc->flags & VRING_DESC_F_NEXT) != 0) { /* This desc reaches to its end, get the next one */ if (desc_avail == 0) { - if (unlikely(desc->next >= vq->size)) + if (unlikely(desc->next >= vq->size || + ++nr_desc >= vq->size)) return -1; desc = &vq->desc[desc->next];
--
1.9.0