git.droids-corp.org / dpdk.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0caf562)
net/netvsc: check for overflow on packet info from host
authorStephen Hemminger <stephen@networkplumber.org>
Tue, 11 Aug 2020 02:33:14 +0000 (19:33 -0700)
committerFerruh Yigit <ferruh.yigit@intel.com>
Fri, 18 Sep 2020 16:55:06 +0000 (18:55 +0200)
The data from the host is trusted but checked by the driver.
One check that is missing is that the packet offset and length
might cause wraparound.

Cc: stable@dpdk.org
Reported-by: Nan Chen <whutchennan@gmail.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: Long Li <longli@microsoft.com>
drivers/net/netvsc/hn_rxtx.c patch | blob | history

diff --git a/drivers/net/netvsc/hn_rxtx.c b/drivers/net/netvsc/hn_rxtx.c
index a388ff2..d8d3f07 100644 (file)
--- a/drivers/net/netvsc/hn_rxtx.c
+++ b/drivers/net/netvsc/hn_rxtx.c
@@ -666,7 +666,8 @@ static void hn_rndis_rx_data(struct hn_rx_queue *rxq,
                             struct hn_rx_bufinfo *rxb,
                             void *data, uint32_t dlen)
 {
-       unsigned int data_off, data_len, pktinfo_off, pktinfo_len;
+       unsigned int data_off, data_len, total_len;
+       unsigned int pktinfo_off, pktinfo_len;
        const struct rndis_packet_msg *pkt = data;
        struct hn_rxinfo info = {
                .vlan_info = HN_NDIS_VLAN_INFO_INVALID,
@@ -711,7 +712,8 @@ static void hn_rndis_rx_data(struct hn_rx_queue *rxq,
                        goto error;
        }
 
-       if (unlikely(data_off + data_len > pkt->len))
+       if (__builtin_add_overflow(data_off, data_len, &total_len) ||
+           total_len > pkt->len)
                goto error;
 
        if (unlikely(data_len < RTE_ETHER_HDR_LEN))
DPDK repo used for reviews