From 7838d3a6ae7a4ae8b3e994efe0d7d9f814941841 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Mon, 10 Aug 2020 19:33:14 -0700 Subject: [PATCH] net/netvsc: check for overflow on packet info from host The data from the host is trusted but checked by the driver. One check that is missing is that the packet offset and length might cause wraparound. Cc: stable@dpdk.org Reported-by: Nan Chen Signed-off-by: Stephen Hemminger Signed-off-by: Long Li --- drivers/net/netvsc/hn_rxtx.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/net/netvsc/hn_rxtx.c b/drivers/net/netvsc/hn_rxtx.c index a388ff2588..d8d3f07f56 100644 --- a/drivers/net/netvsc/hn_rxtx.c +++ b/drivers/net/netvsc/hn_rxtx.c @@ -666,7 +666,8 @@ static void hn_rndis_rx_data(struct hn_rx_queue *rxq, struct hn_rx_bufinfo *rxb, void *data, uint32_t dlen) { - unsigned int data_off, data_len, pktinfo_off, pktinfo_len; + unsigned int data_off, data_len, total_len; + unsigned int pktinfo_off, pktinfo_len; const struct rndis_packet_msg *pkt = data; struct hn_rxinfo info = { .vlan_info = HN_NDIS_VLAN_INFO_INVALID, @@ -711,7 +712,8 @@ static void hn_rndis_rx_data(struct hn_rx_queue *rxq, goto error; } - if (unlikely(data_off + data_len > pkt->len)) + if (__builtin_add_overflow(data_off, data_len, &total_len) || + total_len > pkt->len) goto error; if (unlikely(data_len < RTE_ETHER_HDR_LEN)) -- 2.20.1