> > >> -----Original Message----- >> From: Robert Sanford [mailto:rsanford2 at gmail.com] >> Sent: Monday, March 28, 2016 9:52 PM >> To: dev at dpdk.org; Dumitrescu, Cristian <cristian.dumitrescu at intel.com> >> Subject: [PATCH 2/4] port: fix ring writer buffer overflow >> >> Ring writer tx_bulk functions may write past the end of tx_buf[]. >> Solution is to double the size of tx_buf[]. >> >> Signed-off-by: Robert Sanford <rsanford at akamai.com> >> --- >> lib/librte_port/rte_port_ring.c | 4 ++-- >> 1 files changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/lib/librte_port/rte_port_ring.c >>b/lib/librte_port/rte_port_ring.c >> index b847fea..765ecc5 100644 >> --- a/lib/librte_port/rte_port_ring.c >> +++ b/lib/librte_port/rte_port_ring.c >> @@ -179,7 +179,7 @@ rte_port_ring_reader_stats_read(void *port, >> struct rte_port_ring_writer { >> struct rte_port_out_stats stats; >> >> - struct rte_mbuf *tx_buf[RTE_PORT_IN_BURST_SIZE_MAX]; >> + struct rte_mbuf *tx_buf[2 * RTE_PORT_IN_BURST_SIZE_MAX]; >> struct rte_ring *ring; >> uint32_t tx_burst_sz; >> uint32_t tx_buf_count; >> @@ -447,7 +447,7 @@ rte_port_ring_writer_stats_read(void *port, >> struct rte_port_ring_writer_nodrop { >> struct rte_port_out_stats stats; >> >> - struct rte_mbuf *tx_buf[RTE_PORT_IN_BURST_SIZE_MAX]; >> + struct rte_mbuf *tx_buf[2 * RTE_PORT_IN_BURST_SIZE_MAX]; >> struct rte_ring *ring; >> uint32_t tx_burst_sz; >> uint32_t tx_buf_count; >> -- >> 1.7.1 > >Hi Robert, > >How is the buffer overflow taking place? > >After looking long and hard, I spotted that buffer overflow can >potentially take place when the following conditions are met: >1. The input packet burst does not meet the conditions of (a) being >contiguous (first n bits set in pkts_mask, all the other bits cleared) >and (b) containing a full burst, i.e. at least tx_burst_sz packets (n >= >tx_burst_size). This is the slow(er) code path taken when local variable >expr != 0. >2. There are some packets already in the buffer. >3. The number of packets in the incoming burst (i.e. popcount(pkts_mask)) >plus the number of packets already in the buffer exceeds the buffer size >(RTE_PORT_IN_BURST_SIZE_MAX, i.e. 64). > >Is this the buffer overflow scenario that you detected? > >Thanks, >Cristian >
Hi Cristian, Thanks for looking at the patches. Yes, the buffer overflow occurs in the scenario you described. The additional testing steps in patch 1/4 expose the overflow. The first time that I run the table_autotest, it fails. The second time, the process crashes. -- Robert