The qpairs vdev argument was parsed with atoi(), which does no
validation: trailing garbage is ignored and a negative input such
as "-1" wraps to UINT_MAX when stored in the unsigned qpairs field,
passing the existing "< 1" check and reaching rte_pmd_init_internals()
as nb_queues. This causes excessive socket and memory allocation in
the per-queue loop.
Parse the value with strtoul() and reject non-numeric input, trailing
characters, negative values and values outside the
[1, RTE_MAX_QUEUES_PER_PORT] range.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: ccd37d341e8d ("net/af_packet: remove queue number limitation")
Signed-off-by: Denis Sergeev <[email protected]>
---
v2:
* Replace atoi() with strtoul() and validate the parsed value
drivers/net/af_packet/rte_eth_af_packet.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/net/af_packet/rte_eth_af_packet.c
b/drivers/net/af_packet/rte_eth_af_packet.c
index 8303ff5ca9..b7758a5c75 100644
--- a/drivers/net/af_packet/rte_eth_af_packet.c
+++ b/drivers/net/af_packet/rte_eth_af_packet.c
@@ -1168,13 +1168,20 @@ rte_eth_from_packet(struct rte_vdev_device *dev,
for (k_idx = 0; k_idx < kvlist->count; k_idx++) {
pair = &kvlist->pairs[k_idx];
if (strstr(pair->key, ETH_AF_PACKET_NUM_Q_ARG) != NULL) {
- qpairs = atoi(pair->value);
- if (qpairs < 1) {
+ char *endptr;
+ unsigned long num;
+
+ errno = 0;
+ num = strtoul(pair->value, &endptr, 10);
+ if (errno != 0 || endptr == pair->value ||
+ *endptr != '\0' || pair->value[0] ==
'-' ||
+ num < 1 || num >
RTE_MAX_QUEUES_PER_PORT) {
PMD_LOG(ERR,
"%s: invalid qpairs value",
name);
return -1;
}
+ qpairs = num;
continue;
}
if (strstr(pair->key, ETH_AF_PACKET_BLOCKSIZE_ARG) != NULL) {
--
2.50.1
