From 312acce5e228250f6e1cd3e34dcd26b8af411419 Mon Sep 17 00:00:00 2001 From: Wei Zhao Date: Fri, 10 Apr 2020 08:41:55 +0800 Subject: [PATCH] net/ice/base: check number of chained recipes When we add some long switch rule, we need check the number of final recipe number, if it is large than ICE_MAX_CHAIN_RECIPE, we should refuse this rule. For example: "flow create 0 ingress pattern eth / ipv6 src is CDCD:910A:2222:5498:8475:1111:3900:1536 dst is CDCD:910A:2222:5498:8475:1111:3900:2022 tc is 3 / udp dst is 45 / end actions queue index 2 / end" This rule will consume 6 recipe, if it is not refused, it will cause the following code over write of lkup_indx and mask. LIST_FOR_EACH_ENTRY(entry, &rm->rg_list, ice_recp_grp_entry, l_entry) { last_chain_entry->fv_idx[i] = entry->chain_idx; buf[recps].content.lkup_indx[i] = entry->chain_idx; buf[recps].content.mask[i++] = CPU_TO_LE16(0xFFFF); .......... } Signed-off-by: Wei Zhao Acked-by: Qi Zhang Tested-by: Nannan Lu --- drivers/net/ice/base/ice_switch.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/net/ice/base/ice_switch.c b/drivers/net/ice/base/ice_switch.c index 07f8efd651..7e7d748948 100644 --- a/drivers/net/ice/base/ice_switch.c +++ b/drivers/net/ice/base/ice_switch.c @@ -5352,6 +5352,9 @@ ice_add_sw_recipe(struct ice_hw *hw, struct ice_sw_recipe *rm, rm->n_grp_count++; } + if (rm->n_grp_count > ICE_MAX_CHAIN_RECIPE) + return ICE_ERR_MAX_LIMIT; + tmp = (struct ice_aqc_recipe_data_elem *)ice_calloc(hw, ICE_MAX_NUM_RECIPES, sizeof(*tmp)); -- 2.20.1