The buffer id is part of the RX completion descriptor for packets in the
DQ format. This value can technically go up to 64K, while the max RX
ring size is 4K, meaning that there could similarly be an expected 4K RX
buffer IDs. Validate that the RX buffer ID is valid before attempting to
access it in the sw_ring to prevent a potential out of bounds in the
event of a hardware error.

Fixes: 1aed73b23ac0 ("net/gve: support out-of-order completions on DQ Rx")
Cc: [email protected]
Signed-off-by: Joshua Washington <[email protected]>
Reviewed-by: Jasper Tran O'Leary <[email protected]>
---
 drivers/net/gve/gve_rx_dqo.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/net/gve/gve_rx_dqo.c b/drivers/net/gve/gve_rx_dqo.c
index cc343f3fd8..c4e2d32067 100644
--- a/drivers/net/gve/gve_rx_dqo.c
+++ b/drivers/net/gve/gve_rx_dqo.c
@@ -200,6 +200,11 @@ gve_rx_burst_dqo(void *rx_queue, struct rte_mbuf 
**rx_pkts, uint16_t nb_pkts)
                }
 
                rx_buf_id = rte_le_to_cpu_16(rx_desc->buf_id);
+               if (unlikely(rx_buf_id >= rxq->nb_rx_desc)) {
+                       PMD_DRV_DP_LOG(ERR, "Invalid buf_id %d", rx_buf_id);
+                       continue;
+               }
+
                rxm = rxq->sw_ring[rx_buf_id];
                gve_completed_buf_list_push(rxq, rx_buf_id);
 
-- 
2.55.0.rc0.799.gd6f94ed593-goog

Reply via email to