]> git.baikalelectronics.ru Git - kernel.git/commitdiff
projects / kernel.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9dbbc87)
net: ethernet: mvpp2_main: fix possible OOB write in mvpp2_ethtool_get_rxnfc()
authorHangyu Hua <hbh25y@gmail.com>
Fri, 8 Sep 2023 06:19:49 +0000 (14:19 +0800)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 19 Sep 2023 10:28:08 +0000 (12:28 +0200)
[ Upstream commit 51fe0a470543f345e3c62b6798929de3ddcedc1d ]

rules is allocated in ethtool_get_rxnfc and the size is determined by
rule_cnt from user space. So rule_cnt needs to be check before using
rules to avoid OOB writing or NULL pointer dereference.

Fixes: 90b509b39ac9 ("net: mvpp2: cls: Add Classification offload support")
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
Reviewed-by: Marcin Wojtas <mw@semihalf.com>
Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c patch | blob | history

diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
index b399bdb1ca3620b9a2321cff14d0bf211d03d7a1..f936640cca4e6b7267514fb2e05ed1eebdc62b7d 100644 (file)
--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
@@ -5578,6 +5578,11 @@ static int mvpp2_ethtool_get_rxnfc(struct net_device *dev,
                break;
        case ETHTOOL_GRXCLSRLALL:
                for (i = 0; i < MVPP2_N_RFS_ENTRIES_PER_FLOW; i++) {
+                       if (loc == info->rule_cnt) {
+                               ret = -EMSGSIZE;
+                               break;
+                       }
+
                        if (port->rfs_rules[i])
                                rules[loc++] = i;
                }
Linux Kernel Source Tree.