Hi Zhike,
On 11/13/19 6:03 AM, Zhike Wang wrote:
> When VHOST_USER_VRING_NOFD_MASK is set, the fd_num is 0.
>
> Fixes: bf47225 ("vhost: fix possible denial of service by leaking FDs")
> Signed-off-by: Zhike Wang <wangzk...@163.com>
> ---
> lib/librte_vhost/vhost_user.c | 13 ++++++++++---
> 1 file changed, 10 insertions(+), 3 deletions(-)
>
> diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c
> index 90ecee1..0cfb8b7 100644
> --- a/lib/librte_vhost/vhost_user.c
> +++ b/lib/librte_vhost/vhost_user.c
> @@ -1563,8 +1563,10 @@
> struct virtio_net *dev = *pdev;
> struct vhost_vring_file file;
> struct vhost_virtqueue *vq;
> + int expected_fds;
>
> - if (validate_msg_fds(msg, 1) != 0)
> + expected_fds = (msg->payload.u64 & VHOST_USER_VRING_NOFD_MASK) ? 0 : 1;
> + if (validate_msg_fds(msg, expected_fds) != 0)
> return RTE_VHOST_MSG_RESULT_ERR;
>
> file.index = msg->payload.u64 & VHOST_USER_VRING_IDX_MASK;
> @@ -1588,7 +1590,10 @@ static int vhost_user_set_vring_err(struct virtio_net
> **pdev __rte_unused,
> struct VhostUserMsg *msg,
> int main_fd __rte_unused)
> {
> - if (validate_msg_fds(msg, 1) != 0)
> + int expected_fds;
> +
> + expected_fds = (msg->payload.u64 & VHOST_USER_VRING_NOFD_MASK) ? 0 : 1;
> + if (validate_msg_fds(msg, expected_fds) != 0)
> return RTE_VHOST_MSG_RESULT_ERR;
>
> if (!(msg->payload.u64 & VHOST_USER_VRING_NOFD_MASK))
> @@ -1790,8 +1795,10 @@ static int vhost_user_set_vring_err(struct virtio_net
> **pdev __rte_unused,
> struct virtio_net *dev = *pdev;
> struct vhost_vring_file file;
> struct vhost_virtqueue *vq;
> + int expected_fds;
>
> - if (validate_msg_fds(msg, 1) != 0)
> + expected_fds = (msg->payload.u64 & VHOST_USER_VRING_NOFD_MASK) ? 0 : 1;
> + if (validate_msg_fds(msg, expected_fds) != 0)
> return RTE_VHOST_MSG_RESULT_ERR;
>
> file.index = msg->payload.u64 & VHOST_USER_VRING_IDX_MASK;
>
Thanks for the fix, shame on me for missing that...
Reviewed-by: Maxime Coquelin <maxime.coque...@redhat.com>
Cc'ing stable also, as we'll need to backport it.
Regards,
Maxime
