The size argument to the PMD can not be larger than the largest
per-mbuf data segment size; otherwise the logic in eth_null_rx()
would generate an invalid mbuf.
Fixes: 4df90194f2a2 ("net/null: prefer unsigned int")
Cc: [email protected]
Signed-off-by: Stephen Hemminger <[email protected]>
---
doc/guides/rel_notes/release_26_03.rst | 2 ++
drivers/net/null/rte_eth_null.c | 9 ++++++---
2 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/doc/guides/rel_notes/release_26_03.rst
b/doc/guides/rel_notes/release_26_03.rst
index e59d839164..04d2cfee8a 100644
--- a/doc/guides/rel_notes/release_26_03.rst
+++ b/doc/guides/rel_notes/release_26_03.rst
@@ -60,6 +60,8 @@ New Features
* Changed info response to match mbuf limits.
* Added validation that mbuf pool data size is large enough for
packet size argument.
+ * Added check that packet size argument is not larger than largest
+ possible mbuf data segment.
Removed Items
diff --git a/drivers/net/null/rte_eth_null.c b/drivers/net/null/rte_eth_null.c
index 81001d9326..b5b83f1cf0 100644
--- a/drivers/net/null/rte_eth_null.c
+++ b/drivers/net/null/rte_eth_null.c
@@ -610,14 +610,17 @@ get_packet_size_arg(const char *key __rte_unused,
{
const char *a = value;
unsigned int *packet_size = extra_args;
+ unsigned long sz;
if ((value == NULL) || (extra_args == NULL))
return -EINVAL;
- *packet_size = (unsigned int)strtoul(a, NULL, 0);
- if (*packet_size == UINT_MAX)
- return -1;
+ errno = 0;
+ sz = strtoul(a, NULL, 0);
+ if (sz > UINT16_MAX || errno != 0)
+ return -EINVAL;
+ *packet_size = sz;
return 0;
}
--
2.51.0
