The receive path copies the entire incoming packet into a single
mbuf without verifying the packet fits. If the kernel interface
MTU is raised externally beyond the mbuf data room size, the
memcpy overflows the mbuf buffer.
Add a bounds check against the mbuf tailroom before copying.
Oversized packets are dropped and accounted for in the
rx_dropped_pkts counter, consistent with how the TX path
already drops oversized packets.
Fixes: 364e08f2bb ("af_packet: add PMD for AF_PACKET-based virtual devices")
Cc: [email protected]
Signed-off-by: Xavier Guillaume <[email protected]>
---
drivers/net/af_packet/rte_eth_af_packet.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/net/af_packet/rte_eth_af_packet.c
b/drivers/net/af_packet/rte_eth_af_packet.c
index bfa68297a6..b04987aaf7 100644
--- a/drivers/net/af_packet/rte_eth_af_packet.c
+++ b/drivers/net/af_packet/rte_eth_af_packet.c
@@ -154,6 +154,16 @@ eth_af_packet_rx(void *queue, struct rte_mbuf **bufs,
uint16_t nb_pkts)
break;
}
+ /* drop packets that won't fit in the mbuf */
+ if (ppd->tp_snaplen > rte_pktmbuf_tailroom(mbuf)) {
+ rte_pktmbuf_free(mbuf);
+ ppd->tp_status = TP_STATUS_KERNEL;
+ if (++framenum >= framecount)
+ framenum = 0;
+ pkt_q->rx_dropped_pkts++;
+ continue;
+ }
+
/* packet will fit in the mbuf, go ahead and receive it */
rte_pktmbuf_pkt_len(mbuf) = rte_pktmbuf_data_len(mbuf) =
ppd->tp_snaplen;
pbuf = (uint8_t *) ppd + ppd->tp_mac;
--
2.34.1
