From 917ce8bd36f8fca277b09c0717fccb6ec60f4f1d Mon Sep 17 00:00:00 2001 From: Rasesh Mody Date: Thu, 22 Dec 2016 16:50:02 -0800 Subject: [PATCH] net/qede/base: fix Rx queue access by malicious VFs Rx queue access is still done prior to the index being validated by PF. Hence move Rx queue and status block validation check before accessing Rx queue to prevent malicious VFs from using out-of-bound queue indices. Fixes: 98bc693e1938 ("net/qede/base: change queue start") Signed-off-by: Rasesh Mody --- drivers/net/qede/base/ecore_sriov.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/net/qede/base/ecore_sriov.c b/drivers/net/qede/base/ecore_sriov.c index de54b9a08d..1255296636 100644 --- a/drivers/net/qede/base/ecore_sriov.c +++ b/drivers/net/qede/base/ecore_sriov.c @@ -1968,6 +1968,11 @@ static void ecore_iov_vf_mbx_start_rxq(struct ecore_hwfn *p_hwfn, enum _ecore_status_t rc; req = &mbx->req_virt->start_rxq; + + if (!ecore_iov_validate_rxq(p_hwfn, vf, req->rx_qid) || + !ecore_iov_validate_sb(p_hwfn, vf, req->hw_sb)) + goto out; + OSAL_MEMSET(&p_params, 0, sizeof(p_params)); p_params.queue_id = (u8)vf->vf_queues[req->rx_qid].fw_rx_qid; p_params.vf_qid = req->rx_qid; @@ -1976,10 +1981,6 @@ static void ecore_iov_vf_mbx_start_rxq(struct ecore_hwfn *p_hwfn, p_params.sb = req->hw_sb; p_params.sb_idx = req->sb_index; - if (!ecore_iov_validate_rxq(p_hwfn, vf, req->rx_qid) || - !ecore_iov_validate_sb(p_hwfn, vf, req->hw_sb)) - goto out; - /* Legacy VFs have their Producers in a different location, which they * calculate on their own and clean the producer prior to this. */ -- 2.20.1