vhost: fix queue number check when setting inflight FD

[ upstream commit 6442c32 ] In function vhost_user_set_inflight_fd, queue number in inflight message is used to access virtqueue. However, queue number could be larger than VHOST_MAX_VRING and cause write OOB as this number will be used to write inflight info in virtqueue structure. This patch checks the queue number to avoid the issue and also make sure virtqueues are allocated before setting inflight information. Fixes: ad0a4ae ("vhost: checkout resubmit inflight information") Reported-by: Wenxiang Qian <leonwxqian@gmail.com> Signed-off-by: Chenbo Xia <chenbo.xia@intel.com> Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
bluca · Mar 15, 2022 · 9bac6ad · 9bac6ad
1 parent cc761b3
commit 9bac6ad
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c
@@ -2692,6 +2692,9 @@ vhost_user_check_and_alloc_queue_pair(struct virtio_net *dev,
 	case VHOST_USER_SET_VRING_ADDR:
 		vring_idx = msg->payload.addr.index;
 		break;
+	case VHOST_USER_SET_INFLIGHT_FD:
+		vring_idx = msg->payload.inflight.num_queues - 1;
+		break;
 	default:
 		return 0;
 	}