vhost: fix queue number check when setting inflight FD

In function vhost_user_set_inflight_fd, queue number in inflight message is used to access virtqueue. However, queue number could be larger than VHOST_MAX_VRING and cause write OOB as this number will be used to write inflight info in virtqueue structure. This patch checks the queue number to avoid the issue and also make sure virtqueues are allocated before setting inflight information. Fixes: ad0a4ae ("vhost: checkout resubmit inflight information") Cc: stable@dpdk.org Reported-by: Wenxiang Qian <leonwxqian@gmail.com> Signed-off-by: Chenbo Xia <chenbo.xia@intel.com> Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
DPDK · Mar 10, 2022 · 6442c32 · 6442c32
1 parent 312b94e
commit 6442c32
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/lib/vhost/vhost_user.c b/lib/vhost/vhost_user.c
@@ -2883,6 +2883,9 @@ vhost_user_check_and_alloc_queue_pair(struct virtio_net *dev,
 	case VHOST_USER_SET_VRING_ADDR:
 		vring_idx = ctx->msg.payload.addr.index;
 		break;
+	case VHOST_USER_SET_INFLIGHT_FD:
+		vring_idx = ctx->msg.payload.inflight.num_queues - 1;
+		break;
 	default:
 		return 0;
 	}