From fc025725b895057d16687ebcab22d1bbb0837cba Mon Sep 17 00:00:00 2001 From: Steven Luong Date: Mon, 15 Aug 2022 12:45:43 -0700 Subject: memif: crash on recceiving a bad descriptor We validate each descriptor via memif_validate_desc_data and set desc_status to non-zero for the corresponding descriptor when the descriptor is bad. However, desc_status is not propagated back to xor_status in memif_validate_desc_data which eventually sets ptd->xor_status. Not setting ptd->xor_status causes us to treat all descriptors as "simple". In that case, when we try to copy also the bad descriptors to the buffers, it results a crash since desc_data is not set to point to the correct memory in the descriptor. The fix is to set xor_status in memif_validate_desc_data such that if there is a bad descriptor in the frame, "is_simple" is set to false and we have to selectively copy only the good descriptors to the buffers. Type: fix Signed-off-by: Steven Luong Change-Id: I780f51a42aa0f8745edcddebbe02b2961c183598 --- src/plugins/memif/node.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/plugins/memif') diff --git a/src/plugins/memif/node.c b/src/plugins/memif/node.c index ce9f95bc453..5abd20abc35 100644 --- a/src/plugins/memif/node.c +++ b/src/plugins/memif/node.c @@ -223,9 +223,9 @@ memif_validate_desc_data (memif_per_thread_data_t *ptd, memif_if_t *mif, desc_data[i] = r->shm + offset; if (len > max_len) max_len = len; - xor_status |= desc_status[i].as_u8; n_rx_bytes += len; } + xor_status |= desc_status[i].as_u8; } ptd->max_desc_len = max_len; -- cgit 1.2.3-korg