From: Stephen Hemminger Date: Tue, 11 Aug 2020 02:33:14 +0000 (-0700) Subject: net/netvsc: check for overflow on packet info from host X-Git-Url: http://git.droids-corp.org/?a=commitdiff_plain;h=7838d3a6ae7a;p=dpdk.git net/netvsc: check for overflow on packet info from host The data from the host is trusted but checked by the driver. One check that is missing is that the packet offset and length might cause wraparound. Cc: stable@dpdk.org Reported-by: Nan Chen Signed-off-by: Stephen Hemminger Signed-off-by: Long Li --- diff --git a/drivers/net/netvsc/hn_rxtx.c b/drivers/net/netvsc/hn_rxtx.c index a388ff2588..d8d3f07f56 100644 --- a/drivers/net/netvsc/hn_rxtx.c +++ b/drivers/net/netvsc/hn_rxtx.c @@ -666,7 +666,8 @@ static void hn_rndis_rx_data(struct hn_rx_queue *rxq, struct hn_rx_bufinfo *rxb, void *data, uint32_t dlen) { - unsigned int data_off, data_len, pktinfo_off, pktinfo_len; + unsigned int data_off, data_len, total_len; + unsigned int pktinfo_off, pktinfo_len; const struct rndis_packet_msg *pkt = data; struct hn_rxinfo info = { .vlan_info = HN_NDIS_VLAN_INFO_INVALID, @@ -711,7 +712,8 @@ static void hn_rndis_rx_data(struct hn_rx_queue *rxq, goto error; } - if (unlikely(data_off + data_len > pkt->len)) + if (__builtin_add_overflow(data_off, data_len, &total_len) || + total_len > pkt->len) goto error; if (unlikely(data_len < RTE_ETHER_HDR_LEN))