From b7979d39ef4d6ad0d78bd66e07168401391c34fa Mon Sep 17 00:00:00 2001 From: David Marchand Date: Tue, 18 Jan 2022 15:53:30 +0100 Subject: vhost: fix FD leak with inflight messages [ upstream commit af74f7db384ed149fe42b21dbd7975f8a54ef227 ] Even if unlikely, a buggy vhost-user master might attach fds to inflight messages. Add checks like for other types of vhost-user messages. Fixes: d87f1a1cb7b6 ("vhost: support inflight info sharing") Cc: stable@dpdk.org --- lib/librte_vhost/vhost_user.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c index 79be132c43..af44d1e69c 100644 --- a/lib/librte_vhost/vhost_user.c +++ b/lib/librte_vhost/vhost_user.c @@ -1441,6 +1441,9 @@ vhost_user_get_inflight_fd(struct virtio_net **pdev, int fd, i, j; void *addr; + if (validate_msg_fds(msg, 0) != 0) + return RTE_VHOST_MSG_RESULT_ERR; + if (msg->size != sizeof(msg->payload.inflight)) { RTE_LOG(ERR, VHOST_CONFIG, "invalid get_inflight_fd message size is %d\n", @@ -1534,6 +1537,9 @@ vhost_user_set_inflight_fd(struct virtio_net **pdev, VhostUserMsg *msg, void *addr; int fd, i; + if (validate_msg_fds(msg, 1) != 0) + return RTE_VHOST_MSG_RESULT_ERR; + fd = msg->fds[0]; if (msg->size != sizeof(msg->payload.inflight) || fd < 0) { RTE_LOG(ERR, VHOST_CONFIG, -- cgit v1.2.1