memif: crash on recceiving a bad descriptor

We validate each descriptor via memif_validate_desc_data and set
desc_status to non-zero for the corresponding descriptor when
the descriptor is bad. However, desc_status is not propagated back to
xor_status in memif_validate_desc_data which eventually sets
ptd->xor_status.

Not setting ptd->xor_status causes us to treat all descriptors as
"simple". In that case, when we try to copy also the bad descriptors to
the buffers, it results a crash since desc_data is not set to point
to the correct memory in the descriptor.

The fix is to set xor_status in memif_validate_desc_data such that if
there is a bad descriptor in the frame, "is_simple" is set to false and
we have to selectively copy only the good descriptors to the buffers.

Type: fix

Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: I780f51a42aa0f8745edcddebbe02b2961c183598

diff --git a/src/plugins/memif/node.c b/src/plugins/memif/node.c
index ce9f95b..5abd20a 100644 (file)
--- a/src/plugins/memif/node.c
+++ b/src/plugins/memif/node.c
@@ -223,9 +223,9 @@ memif_validate_desc_data (memif_per_thread_data_t *ptd, memif_if_t *mif,
          desc_data[i] = r->shm + offset;
          if (len > max_len)
            max_len = len;
-         xor_status |= desc_status[i].as_u8;
          n_rx_bytes += len;
        }
+      xor_status |= desc_status[i].as_u8;
     }
 
   ptd->max_desc_len = max_len;