net/iavf: fix overflow in maximum packet length config

[ upstream commit 7fe7418 ] The len variable, used in the computation of max_pkt_len could overflow, if used to store the result of the following computation: rxq->rx_buf_len * IAVF_MAX_CHAINED_RX_BUFFERS Since, we could define the mbuf size to have a large value (i.e 13312), and IAVF_MAX_CHAINED_RX_BUFFERS is defined as 5, the computation mentioned above could potentially result in a value which might be bigger than MAX_USHORT. The result will be that Jumbo Frames will not work properly Fixes: 69dd4c3 ("net/avf: enable queue and device") Signed-off-by: Tudor Cornea <tudor.cornea@gmail.com> Acked-by: Qi Zhang <qi.z.zhang@intel.com>
cpaelzer · Nov 30, 2021 · 01b2a53 · 01b2a53
1 parent 568ce33
commit 01b2a53
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/drivers/net/iavf/iavf_ethdev.c b/drivers/net/iavf/iavf_ethdev.c
@@ -263,13 +263,14 @@ iavf_init_rxq(struct rte_eth_dev *dev, struct iavf_rx_queue *rxq)
 {
 	struct iavf_hw *hw = IAVF_DEV_PRIVATE_TO_HW(dev->data->dev_private);
 	struct rte_eth_dev_data *dev_data = dev->data;
-	uint16_t buf_size, max_pkt_len, len;
+	uint16_t buf_size, max_pkt_len;
 
 	buf_size = rte_pktmbuf_data_room_size(rxq->mp) - RTE_PKTMBUF_HEADROOM;
 
 	/* Calculate the maximum packet length allowed */
-	len = rxq->rx_buf_len * IAVF_MAX_CHAINED_RX_BUFFERS;
-	max_pkt_len = RTE_MIN(len, dev->data->dev_conf.rxmode.max_rx_pkt_len);
+	max_pkt_len = RTE_MIN((uint32_t)
+			rxq->rx_buf_len * IAVF_MAX_CHAINED_RX_BUFFERS,
+			dev->data->dev_conf.rxmode.max_rx_pkt_len);
 
 	/* Check if the jumbo frame and maximum packet length are set
 	 * correctly.