[dpdk-dev] A question about the function fill_vec_buf

Fri, 13 Jan 2017 02:21:58 -0800 

In function fill_vec_buf, it will happen uint32_t cast to uint16_t, when the 
*desc_chain_len is assigned by the len.
This maybe result in data truncation.

static inline int __attribute__((always_inline))
fill_vec_buf(struct virtio_net *dev, struct vhost_virtqueue *vq,
                                                uint32_t avail_idx, uint32_t 
*vec_idx,
                                                struct buf_vector *buf_vec, 
uint16_t *desc_chain_head,
                                                uint16_t *desc_chain_len)       
                                                                 --The 
desc_chain_len is defined uint16_t.
{
                uint16_t idx = vq->avail->ring[avail_idx & (vq->size - 1)];
                uint32_t vec_id = *vec_idx;
                uint32_t len    = 0;                                            
                                                                               
--The len is defined uint32_t.
                struct vring_desc *descs = vq->desc;

                *desc_chain_head = idx;
                ...

                while (1) {
                                if (unlikely(vec_id >= BUF_VECTOR_MAX || idx >= 
vq->size))
                                                return -1;

                                len += descs[idx].len;
                                buf_vec[vec_id].buf_addr = descs[idx].addr;
                                buf_vec[vec_id].buf_len  = descs[idx].len;
                                buf_vec[vec_id].desc_idx = idx;
                                vec_id++;

                                if ((descs[idx].flags & VRING_DESC_F_NEXT) == 0)
                                                break;

                                idx = descs[idx].next;
                }

                *desc_chain_len = len;                                          
                                                                   --Here, 
uint32_t cast to uint16_t.
                *vec_idx = vec_id;

                return 0;
}

Reply via email to