[dpdk-dev] [PATCH 4/4] net/netvsc: check for overflow on packet info from host

longli at linuxonhyperv.com longli at linuxonhyperv.com
Tue Aug 11 04:33:14 CEST 2020


From: Stephen Hemminger <stephen at networkplumber.org>

The data from the host is trusted but checked by the driver.
One check that is missing is that the packet offset and length
might cause wraparound.

Cc: stable at dpdk.org

Signed-off-by: Stephen Hemminger <stephen at networkplumber.org>
Signed-off-by: Long Li <longli at microsoft.com>
---
 drivers/net/netvsc/hn_rxtx.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/net/netvsc/hn_rxtx.c b/drivers/net/netvsc/hn_rxtx.c
index a388ff258..d8d3f07f5 100644
--- a/drivers/net/netvsc/hn_rxtx.c
+++ b/drivers/net/netvsc/hn_rxtx.c
@@ -666,7 +666,8 @@ static void hn_rndis_rx_data(struct hn_rx_queue *rxq,
 			     struct hn_rx_bufinfo *rxb,
 			     void *data, uint32_t dlen)
 {
-	unsigned int data_off, data_len, pktinfo_off, pktinfo_len;
+	unsigned int data_off, data_len, total_len;
+	unsigned int pktinfo_off, pktinfo_len;
 	const struct rndis_packet_msg *pkt = data;
 	struct hn_rxinfo info = {
 		.vlan_info = HN_NDIS_VLAN_INFO_INVALID,
@@ -711,7 +712,8 @@ static void hn_rndis_rx_data(struct hn_rx_queue *rxq,
 			goto error;
 	}
 
-	if (unlikely(data_off + data_len > pkt->len))
+	if (__builtin_add_overflow(data_off, data_len, &total_len) ||
+	    total_len > pkt->len)
 		goto error;
 
 	if (unlikely(data_len < RTE_ETHER_HDR_LEN))
-- 
2.25.1



More information about the dev mailing list