From 8812a68062016e622b33cbae6a21bc073caa918e Mon Sep 17 00:00:00 2001 From: Steven Date: Mon, 24 Sep 2018 14:23:44 -0700 Subject: vmxnet3: guard against array overflow Under extreme condition, it is possible for input node to have more than 256 packets available to process. Add a check to the while loop to prevent overrun buffer_indices and nexts. Change-Id: Id9830e5c254f04216eb79e864a5460e08cf2e4e5 Signed-off-by: Steven --- src/plugins/vmxnet3/input.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/plugins/vmxnet3/input.c b/src/plugins/vmxnet3/input.c index e3e8b319835..a0b9cbca578 100644 --- a/src/plugins/vmxnet3/input.c +++ b/src/plugins/vmxnet3/input.c @@ -95,8 +95,9 @@ vmxnet3_device_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, comp_ring = &rxq->rx_comp_ring; bi = buffer_indices; next = nexts; - while (comp_ring->gen == - (rxq->rx_comp[comp_ring->next].flags & VMXNET3_RXCF_GEN)) + while (PREDICT_TRUE (n_rx_packets < VLIB_FRAME_SIZE) && + (comp_ring->gen == + (rxq->rx_comp[comp_ring->next].flags & VMXNET3_RXCF_GEN))) { vlib_buffer_t *b0; u32 bi0; -- cgit 1.2.3-korg