Currently, only the segment count is checked for non-TSO packets. There
is no upper bound placed on the packet length, so packets larger than
`IAVF_FRAME_SIZE_MAX` pass the prepare callback unchallenged and are
submitted to the hardware. Sending such frames can trigger Malicious
Driver Detection (MDD) on the PF. Fix this by adding a packet length
size check on the non-TSO path.
Fixes: 19ee91c6bd9a ("net/iavf: check illegal packet sizes")
Cc: [email protected]
Signed-off-by: Ciara Loftus <[email protected]>
---
drivers/net/intel/iavf/iavf_rxtx.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/intel/iavf/iavf_rxtx.c
b/drivers/net/intel/iavf/iavf_rxtx.c
index decbc75142..a57af7faed 100644
--- a/drivers/net/intel/iavf/iavf_rxtx.c
+++ b/drivers/net/intel/iavf/iavf_rxtx.c
@@ -3227,9 +3227,9 @@ iavf_prep_pkts(__rte_unused void *tx_queue, struct
rte_mbuf **tx_pkts,
m = tx_pkts[i];
ol_flags = m->ol_flags;
- /* Check condition for nb_segs > IAVF_TX_MAX_MTU_SEG. */
+ /* Validate segment count and packet length. */
if (!(ol_flags & (RTE_MBUF_F_TX_TCP_SEG |
RTE_MBUF_F_TX_UDP_SEG))) {
- if (m->nb_segs > IAVF_TX_MAX_MTU_SEG) {
+ if (m->nb_segs > IAVF_TX_MAX_MTU_SEG || m->pkt_len >
IAVF_FRAME_SIZE_MAX) {
rte_errno = EINVAL;
return i;
}
--
2.43.0
