On Thu, Apr 04, 2019 at 12:58:36PM +0200, Stefano Garzarella wrote: > @@ -139,8 +139,18 @@ vhost_transport_do_send_pkt(struct vhost_vsock *vsock, > break; > } > > - len = iov_length(&vq->iov[out], in); > - iov_iter_init(&iov_iter, READ, &vq->iov[out], in, len); > + payload_len = pkt->len - pkt->off; > + iov_len = iov_length(&vq->iov[out], in); > + iov_iter_init(&iov_iter, READ, &vq->iov[out], in, iov_len); > + > + /* If the packet is greater than the space available in the > + * buffer, we split it using multiple buffers. > + */ > + if (payload_len > iov_len - sizeof(pkt->hdr)) Integer underflow. iov_len is controlled by the guest and therefore untrusted. Please validate iov_len before assuming it's larger than sizeof(pkt->hdr). > - vhost_add_used(vq, head, sizeof(pkt->hdr) + pkt->len); > + vhost_add_used(vq, head, sizeof(pkt->hdr) + payload_len); > added = true; > > + pkt->off += payload_len; > + > + /* If we didn't send all the payload we can requeue the packet > + * to send it with the next available buffer. > + */ > + if (pkt->off < pkt->len) { > + spin_lock_bh(&vsock->send_pkt_list_lock); > + list_add(&pkt->list, &vsock->send_pkt_list); > + spin_unlock_bh(&vsock->send_pkt_list_lock); > + continue; The virtio_transport_deliver_tap_pkt() call is skipped. Packet capture should see the exact packets that are delivered. I think this patch will present one large packet instead of several smaller packets that were actually delivered.
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ Virtualization mailing list Virtualization@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/virtualization