From 7ecfe8521fbb6a845f08a6b178676d1d6c5a7802 Mon Sep 17 00:00:00 2001 From: Kishore Padmanabha Date: Thu, 10 Sep 2020 18:55:58 -0700 Subject: [PATCH] net/bnxt: fix out of bound access in bit handling Fix out of bounds access in action bit handling. The act_val is changed to be array to resolve out of bound access issue. Fixes: 52799debdf1c ("net/bnxt: support action bitmap opcode") Cc: stable@dpdk.org Signed-off-by: Kishore Padmanabha Reviewed-by: Shahaji Bhosle Reviewed-by: Mike Baucom Reviewed-by: Ajit Khaparde --- drivers/net/bnxt/tf_ulp/ulp_mapper.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/drivers/net/bnxt/tf_ulp/ulp_mapper.c b/drivers/net/bnxt/tf_ulp/ulp_mapper.c index 15682673d8..7321411669 100644 --- a/drivers/net/bnxt/tf_ulp/ulp_mapper.c +++ b/drivers/net/bnxt/tf_ulp/ulp_mapper.c @@ -782,7 +782,7 @@ ulp_mapper_result_field_process(struct bnxt_ulp_mapper_parms *parms, uint64_t regval; uint32_t val_size = 0, field_size = 0; uint64_t act_bit; - uint8_t act_val; + uint8_t act_val[16]; uint64_t hdr_bit; switch (fld->result_opcode) { @@ -824,19 +824,18 @@ ulp_mapper_result_field_process(struct bnxt_ulp_mapper_parms *parms, return -EINVAL; } act_bit = tfp_be_to_cpu_64(act_bit); + memset(act_val, 0, sizeof(act_val)); if (ULP_BITMAP_ISSET(parms->act_bitmap->bits, act_bit)) - act_val = 1; - else - act_val = 0; + act_val[0] = 1; if (fld->field_bit_size > ULP_BYTE_2_BITS(sizeof(act_val))) { BNXT_TF_DBG(ERR, "%s field size is incorrect\n", name); return -EINVAL; } - if (!ulp_blob_push(blob, &act_val, fld->field_bit_size)) { + if (!ulp_blob_push(blob, act_val, fld->field_bit_size)) { BNXT_TF_DBG(ERR, "%s push field failed\n", name); return -EINVAL; } - val = &act_val; + val = act_val; break; case BNXT_ULP_MAPPER_OPC_SET_TO_ENCAP_ACT_PROP_SZ: if (!ulp_operand_read(fld->result_operand, -- 2.20.1