[dpdk-dev] [PATCH 4/6] net/bnxt: check for integer overflow in buffer sizing

Stephen Hemminger stephen at networkplumber.org
Tue Mar 3 18:59:36 CET 2020

Previous message: [dpdk-dev] [PATCH 3/6] net/bnxt: avoid potential out of bounds read
Next message: [dpdk-dev] [PATCH 5/6] net/bnxt: add integer underflow check
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If the hardware returns invalid values, the buffer size calculation
could overflow.  Check for this by using the GCC/Clang builtin
that checks.

Reported-by: Christopher Ertl <Christopher.Ertl at microsoft.com>
Signed-off-by: Stephen Hemminger <stephen at networkplumber.org>
---
 drivers/net/bnxt/bnxt_hwrm.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/net/bnxt/bnxt_hwrm.c b/drivers/net/bnxt/bnxt_hwrm.c
index ad8bdb1c2913..6beb215d604f 100644
--- a/drivers/net/bnxt/bnxt_hwrm.c
+++ b/drivers/net/bnxt/bnxt_hwrm.c
@@ -11,6 +11,7 @@
 #include <rte_malloc.h>
 #include <rte_memzone.h>
 #include <rte_version.h>
+#include <rte_overflow.h>
 #include <rte_io.h>
 
 #include "bnxt.h"
@@ -3861,7 +3862,9 @@ int bnxt_get_nvram_directory(struct bnxt *bp, uint32_t len, uint8_t *data)
 	len -= 2;
 	memset(data, 0xff, len);
 
-	buflen = dir_entries * entry_length;
+	if (rte_mul_overflow(dir_entries, entry_length, &buflen))
+		return -EINVAL;
+
 	buf = rte_malloc("nvm_dir", buflen, 0);
 	if (buf == NULL)
 		return -ENOMEM;
-- 
2.20.1

Previous message: [dpdk-dev] [PATCH 3/6] net/bnxt: avoid potential out of bounds read
Next message: [dpdk-dev] [PATCH 5/6] net/bnxt: add integer underflow check
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the dev mailing list