aboutsummaryrefslogtreecommitdiffstats
path: root/src/vnet/devices/virtio
diff options
context:
space:
mode:
authorBenoît Ganne <bganne@cisco.com>2020-12-08 19:08:05 +0100
committerDamjan Marion <dmarion@me.com>2020-12-11 23:27:54 +0000
commit32526a42c59f076e356c3690306b8bcaa80d999d (patch)
treeb6d6876fb7f8cbcc17f5acc480167b19ff1129a3 /src/vnet/devices/virtio
parent793be46324453e5326eb37a13ffb82f92b1f55b1 (diff)
virtio: fix vrings overflow in vhost_user
Type: fix Change-Id: I7ca955882c0e263a9ace4b14021e51488564e411 Signed-off-by: Benoît Ganne <bganne@cisco.com>
Diffstat (limited to 'src/vnet/devices/virtio')
-rw-r--r--src/vnet/devices/virtio/vhost_user.c11
1 files changed, 10 insertions, 1 deletions
diff --git a/src/vnet/devices/virtio/vhost_user.c b/src/vnet/devices/virtio/vhost_user.c
index cf149f8b4db..d8c79ea17aa 100644
--- a/src/vnet/devices/virtio/vhost_user.c
+++ b/src/vnet/devices/virtio/vhost_user.c
@@ -598,7 +598,8 @@ vhost_user_socket_read (clib_file_t * uf)
if ((msg.state.num > 32768) || /* maximum ring size is 32768 */
(msg.state.num == 0) || /* it cannot be zero */
- ((msg.state.num - 1) & msg.state.num)) /* must be power of 2 */
+ ((msg.state.num - 1) & msg.state.num) || /* must be power of 2 */
+ (msg.state.index >= VHOST_VRING_MAX_N))
goto close_socket;
vui->vrings[msg.state.index].qsz_mask = msg.state.num - 1;
break;
@@ -678,6 +679,8 @@ vhost_user_socket_read (clib_file_t * uf)
vui->hw_if_index, msg.u64);
q = (u8) (msg.u64 & 0xFF);
+ if (q >= VHOST_VRING_MAX_N)
+ goto close_socket;
/* if there is old fd, delete and close it */
if (vui->vrings[q].callfd_idx != ~0)
@@ -711,6 +714,8 @@ vhost_user_socket_read (clib_file_t * uf)
vui->hw_if_index, msg.u64);
q = (u8) (msg.u64 & 0xFF);
+ if (q >= VHOST_VRING_MAX_N)
+ goto close_socket;
if (vui->vrings[q].kickfd_idx != ~0)
{
@@ -750,6 +755,8 @@ vhost_user_socket_read (clib_file_t * uf)
vui->hw_if_index, msg.u64);
q = (u8) (msg.u64 & 0xFF);
+ if (q >= VHOST_VRING_MAX_N)
+ goto close_socket;
if (vui->vrings[q].errfd != -1)
close (vui->vrings[q].errfd);
@@ -769,6 +776,8 @@ vhost_user_socket_read (clib_file_t * uf)
vu_log_debug (vui,
"if %d msg VHOST_USER_SET_VRING_BASE idx %d num 0x%x",
vui->hw_if_index, msg.state.index, msg.state.num);
+ if (msg.state.index >= VHOST_VRING_MAX_N)
+ goto close_socket;
vlib_worker_thread_barrier_sync (vm);
vui->vrings[msg.state.index].last_avail_idx = msg.state.num;
if (vhost_user_is_packed_ring_supported (vui))
ss="cm"> * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #ifndef included_ip_table_h #define included_ip_table_h #include <vnet/vnet.h> typedef enum vnet_ip_table_function_priority_t_ { VNET_IP_TABLE_FUNC_PRIORITY_LOW, VNET_IP_TABLE_FUNC_PRIORITY_HIGH, } vnet_ip_table_function_priority_t; #define VNET_IP_TABLE_FUNC_N_PRIO ((vnet_ip_table_function_priority_t)VNET_IP_TABLE_FUNC_PRIORITY_HIGH+1) #ifndef CLIB_MARCH_VARIANT #define _VNET_IP_TABLE_FUNCTION_DECL_PRIO(f,tag,p) \ \ static void __vnet_ip_table_function_init_##tag##_##f (void) \ __attribute__((__constructor__)) ; \ \ static void __vnet_ip_table_function_init_##tag##_##f (void) \ { \ vnet_main_t * vnm = vnet_get_main(); \ static _vnet_ip_table_function_list_elt_t init_function; \ init_function.next_ip_table_function = vnm->tag##_functions[p]; \ vnm->tag##_functions[p] = &init_function; \ init_function.fp = (void *) &f; \ } \ static void __vnet_ip_table_function_deinit_##tag##_##f (void) \ __attribute__((__destructor__)) ; \ \ static void __vnet_ip_table_function_deinit_##tag##_##f (void) \ { \ vnet_main_t * vnm = vnet_get_main(); \ _vnet_ip_table_function_list_elt_t *next; \ if (vnm->tag##_functions[p]->fp == f) \ { \ vnm->tag##_functions[p] = \ vnm->tag##_functions[p]->next_ip_table_function; \ return; \ } \ next = vnm->tag##_functions[p]; \ while (next->next_ip_table_function) \ { \ if (next->next_ip_table_function->fp == f) \ { \ next->next_ip_table_function = \ next->next_ip_table_function->next_ip_table_function; \ return; \ } \ next = next->next_ip_table_function; \ } \ } #else /* create unused pointer to silence compiler warnings and get whole function optimized out */ #define _VNET_IP_TABLE_FUNCTION_DECL_PRIO(f,tag,p) \ static __clib_unused void * __clib_unused_##f = f; #endif #define _VNET_IP_TABLE_FUNCTION_DECL(f,tag) \ _VNET_IP_TABLE_FUNCTION_DECL_PRIO(f,tag,VNET_ITF_FUNC_PRIORITY_LOW) #define VNET_IP_TABLE_ADD_DEL_FUNCTION(f) \ _VNET_IP_TABLE_FUNCTION_DECL(f,ip_table_add_del) #endif /* included_ip_table_h */ /* * fd.io coding-style-patch-verification: ON * * Local Variables: * eval: (c-set-style "gnu") * End: */