> -----Original Message-----
> From: Maxime Coquelin <maxime.coque...@redhat.com>
> Sent: Tuesday, October 20, 2020 1:34 AM
> To: dev@dpdk.org; Xia, Chenbo <chenbo....@intel.com>; amore...@redhat.com
> Cc: Maxime Coquelin <maxime.coque...@redhat.com>; sta...@dpdk.org
> Subject: [PATCH 5/7] vhost: validate index in inflight API
>
> This patch validates the queue index parameter, in order
> to ensure neither out-of-bound accesses nor NULL pointer
> dereferencing happen.
>
> Fixes: 4d891f77ddfa ("vhost: add APIs to get inflight ring")
> Cc: sta...@dpdk.org
>
> Signed-off-by: Maxime Coquelin <maxime.coque...@redhat.com>
> ---
> lib/librte_vhost/vhost.c | 10 +++++++++-
> 1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/lib/librte_vhost/vhost.c b/lib/librte_vhost/vhost.c
> index b9afe46ca2..f78bdfcc94 100644
> --- a/lib/librte_vhost/vhost.c
> +++ b/lib/librte_vhost/vhost.c
> @@ -1523,15 +1523,23 @@ rte_vhost_get_vring_base_from_inflight(int vid,
> uint16_t *last_used_idx)
> {
> struct rte_vhost_inflight_info_packed *inflight_info;
> + struct vhost_virtqueue *vq;
> struct virtio_net *dev = get_device(vid);
>
> if (dev == NULL || last_avail_idx == NULL || last_used_idx == NULL)
> return -1;
>
> + if (queue_id >= VHOST_MAX_VRING)
> + return -1;
> +
> + vq = dev->virtqueue[queue_id];
> + if (!vq)
> + return -1;
> +
> if (!vq_is_packed(dev))
> return -1;
>
> - inflight_info = dev->virtqueue[queue_id]->inflight_packed;
> + inflight_info = vq->inflight_packed;
> if (!inflight_info)
> return -1;
>
> --
> 2.26.2
Reviewed-by: Chenbo Xia <chenbo....@intel.com>
