On Mon, Mar 07, 2016 at 03:10:43AM +, Xie, Huawei wrote:
> On 2/18/2016 9:48 PM, Yuanhan Liu wrote:
> > + if (unlikely(desc->next >= vq->size))
> > + goto fail;
>
> desc chains could be forged into a loop then vhost runs the dead loop
> until it exha
On 2/18/2016 9:48 PM, Yuanhan Liu wrote:
> + if (unlikely(desc->next >= vq->size))
> + goto fail;
desc chains could be forged into a loop then vhost runs the dead loop
until it exhaust all mbuf memory.
A malicious guest may easily forge some illegal vring desc buf.
To make our vhost robust, we need make sure desc->next will not
go beyond the vq->desc[] array.
Suggested-by: Rich Lane
Signed-off-by: Yuanhan Liu
---
lib/librte_vhost/vhost_rxtx.c | 15 +++
1 file changed, 11 insertion
3 matches
Mail list logo
