devices: vhoost cpu->copy array overflow on tcp jumbo frame (65535 bytes)

[vpp.git] / src / vnet / devices / virtio / vhost_user_output.c

diff --git a/src/vnet/devices/virtio/vhost_user_output.c b/src/vnet/devices/virtio/vhost_user_output.c
index c0c54d1..de34a3a 100644 (file)
--- a/src/vnet/devices/virtio/vhost_user_output.c
+++ b/src/vnet/devices/virtio/vhost_user_output.c
@@ -49,9 +49,12 @@
  * entries. In order to not corrupt memory, we have to do the copy when the
  * static array reaches the copy threshold. We subtract 40 in case the code
  * goes into the inner loop for a maximum of 64k frames which may require
- * more array entries.
+ * more array entries. We subtract 200 because our default buffer size is
+ * 2048 and the default desc len is likely 1536. While it takes less than 40
+ * vlib buffers for the jumbo frame, it may take twice as much descriptors
+ * for the same jumbo frame. Use 200 for the extra head room.
  */
-#define VHOST_USER_TX_COPY_THRESHOLD (VHOST_USER_COPY_ARRAY_N - 40)
+#define VHOST_USER_TX_COPY_THRESHOLD (VHOST_USER_COPY_ARRAY_N - 200)
 
 extern vnet_device_class_t vhost_user_device_class;
 
@@ -339,6 +342,7 @@ retry:
        hdr->num_buffers = 1;   //This is local, no need to check
 
        // Prepare a copy order executed later for the header
+       ASSERT (copy_len < VHOST_USER_COPY_ARRAY_N);
        vhost_copy_t *cpy = &cpu->copy[copy_len];
        copy_len++;
        cpy->len = vui->virtio_net_hdr_sz;
@@ -426,6 +430,7 @@ retry:
            }
 
          {
+           ASSERT (copy_len < VHOST_USER_COPY_ARRAY_N);
            vhost_copy_t *cpy = &cpu->copy[copy_len];
            copy_len++;
            cpy->len = bytes_left;