The 'queue_index' of create/close_session function is from guest and can be exceed 'MAX_CRYPTO_QUEUE_NUM'. This leads oob access. This patch avoid this.
Signed-off-by: Li Qiang <liq...@163.com> --- backends/cryptodev-builtin.c | 4 ++++ backends/cryptodev-vhost-user.c | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/backends/cryptodev-builtin.c b/backends/cryptodev-builtin.c index 9fb0bd57a6..c3a65b2f5f 100644 --- a/backends/cryptodev-builtin.c +++ b/backends/cryptodev-builtin.c @@ -249,6 +249,8 @@ static int64_t cryptodev_builtin_sym_create_session( CryptoDevBackendSymSessionInfo *sess_info, uint32_t queue_index, Error **errp) { + assert(queue_index < MAX_CRYPTO_QUEUE_NUM); + CryptoDevBackendBuiltin *builtin = CRYPTODEV_BACKEND_BUILTIN(backend); int64_t session_id = -1; @@ -280,6 +282,8 @@ static int cryptodev_builtin_sym_close_session( uint64_t session_id, uint32_t queue_index, Error **errp) { + assert(queue_index < MAX_CRYPTO_QUEUE_NUM); + CryptoDevBackendBuiltin *builtin = CRYPTODEV_BACKEND_BUILTIN(backend); diff --git a/backends/cryptodev-vhost-user.c b/backends/cryptodev-vhost-user.c index 1052a5d0e9..36a40eeb4d 100644 --- a/backends/cryptodev-vhost-user.c +++ b/backends/cryptodev-vhost-user.c @@ -236,6 +236,8 @@ static int64_t cryptodev_vhost_user_sym_create_session( CryptoDevBackendSymSessionInfo *sess_info, uint32_t queue_index, Error **errp) { + assert(queue_index < MAX_CRYPTO_QUEUE_NUM); + CryptoDevBackendClient *cc = backend->conf.peers.ccs[queue_index]; CryptoDevBackendVhost *vhost_crypto; @@ -262,6 +264,8 @@ static int cryptodev_vhost_user_sym_close_session( uint64_t session_id, uint32_t queue_index, Error **errp) { + assert(queue_index < MAX_CRYPTO_QUEUE_NUM); + CryptoDevBackendClient *cc = backend->conf.peers.ccs[queue_index]; CryptoDevBackendVhost *vhost_crypto; -- 2.17.1