From e9d5c5fb6872e885aadbec2baeec47e681e0edc7 Mon Sep 17 00:00:00 2001 From: Ivan Malov Date: Thu, 5 Nov 2020 23:46:12 +0300 Subject: [PATCH] common/sfc_efx/base: avoid reading past buffer Existing field ID validity check does not validate the field descriptor availability. Make it more rigorous to avoid reading past the buffer containing field descriptors. Coverity issue: 363742 Fixes: 370ed675a952 ("common/sfc_efx/base: support setting PPORT in match spec") Signed-off-by: Ivan Malov Reviewed-by: Andy Moreton --- drivers/common/sfc_efx/base/efx_mae.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/drivers/common/sfc_efx/base/efx_mae.c b/drivers/common/sfc_efx/base/efx_mae.c index af9a5189c7..ee0a3d3196 100644 --- a/drivers/common/sfc_efx/base/efx_mae.c +++ b/drivers/common/sfc_efx/base/efx_mae.c @@ -622,25 +622,30 @@ efx_mae_match_spec_field_set( __in_bcount(mask_size) const uint8_t *mask) { const efx_mae_mv_desc_t *descp; + unsigned int desc_set_nentries; uint8_t *mvp; efx_rc_t rc; - if (field_id >= EFX_MAE_FIELD_NIDS) { - rc = EINVAL; - goto fail1; - } - switch (spec->emms_type) { case EFX_MAE_RULE_OUTER: + desc_set_nentries = + EFX_ARRAY_SIZE(__efx_mae_outer_rule_mv_desc_set); descp = &__efx_mae_outer_rule_mv_desc_set[field_id]; mvp = spec->emms_mask_value_pairs.outer; break; case EFX_MAE_RULE_ACTION: + desc_set_nentries = + EFX_ARRAY_SIZE(__efx_mae_action_rule_mv_desc_set); descp = &__efx_mae_action_rule_mv_desc_set[field_id]; mvp = spec->emms_mask_value_pairs.action; break; default: rc = ENOTSUP; + goto fail1; + } + + if (field_id >= desc_set_nentries) { + rc = EINVAL; goto fail2; } -- 2.20.1