From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.8 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 611D0C433DF for ; Tue, 11 Aug 2020 02:33:59 +0000 (UTC) Received: from dpdk.org (dpdk.org [92.243.14.124]) by mail.kernel.org (Postfix) with ESMTP id 2123B20639 for ; Tue, 11 Aug 2020 02:33:59 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=linuxonhyperv.com header.i=@linuxonhyperv.com header.b="J1LFhnLA" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 2123B20639 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=linuxonhyperv.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=dev-bounces@dpdk.org Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 3622A1C08C; Tue, 11 Aug 2020 04:33:46 +0200 (CEST) Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by dpdk.org (Postfix) with ESMTP id 8C4C51C08C; Tue, 11 Aug 2020 04:33:44 +0200 (CEST) Received: by linux.microsoft.com (Postfix, from userid 1004) id E076420B4908; Mon, 10 Aug 2020 19:33:43 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com E076420B4908 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxonhyperv.com; s=default; t=1597113223; bh=WVckJmi8AGdCCwJtbzVpWAlX8XBX+WYKyfGJInxn5f0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=J1LFhnLATHaBbXmSuuwGMJUwgiKjR2ErZsJ2zX5rQwhaXgGeqr6PS/GKvzhqqBHSt 9Z+pyZnjdLoroqS3+wuPifEMe/u2WFc7nFJUI44Be32ujYU72j9VMq9Gxyp2nw30nA qEZXKhO3WORbocdgUYNENBCcJ6QJeOVplvNzZ8vw= From: longli@linuxonhyperv.com To: "K. Y. Srinivasan" , Haiyang Zhang , Stephen Hemminger Cc: dev@dpdk.org, Stephen Hemminger , stable@dpdk.org, Long Li Date: Mon, 10 Aug 2020 19:33:14 -0700 Message-Id: <1597113194-90208-4-git-send-email-longli@linuxonhyperv.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1597113194-90208-1-git-send-email-longli@linuxonhyperv.com> References: <1597113194-90208-1-git-send-email-longli@linuxonhyperv.com> Subject: [dpdk-dev] [PATCH 4/4] net/netvsc: check for overflow on packet info from host X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" From: Stephen Hemminger The data from the host is trusted but checked by the driver. One check that is missing is that the packet offset and length might cause wraparound. Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger Signed-off-by: Long Li --- drivers/net/netvsc/hn_rxtx.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/net/netvsc/hn_rxtx.c b/drivers/net/netvsc/hn_rxtx.c index a388ff258..d8d3f07f5 100644 --- a/drivers/net/netvsc/hn_rxtx.c +++ b/drivers/net/netvsc/hn_rxtx.c @@ -666,7 +666,8 @@ static void hn_rndis_rx_data(struct hn_rx_queue *rxq, struct hn_rx_bufinfo *rxb, void *data, uint32_t dlen) { - unsigned int data_off, data_len, pktinfo_off, pktinfo_len; + unsigned int data_off, data_len, total_len; + unsigned int pktinfo_off, pktinfo_len; const struct rndis_packet_msg *pkt = data; struct hn_rxinfo info = { .vlan_info = HN_NDIS_VLAN_INFO_INVALID, @@ -711,7 +712,8 @@ static void hn_rndis_rx_data(struct hn_rx_queue *rxq, goto error; } - if (unlikely(data_off + data_len > pkt->len)) + if (__builtin_add_overflow(data_off, data_len, &total_len) || + total_len > pkt->len) goto error; if (unlikely(data_len < RTE_ETHER_HDR_LEN)) -- 2.25.1