From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from dpdk.org (dpdk.org [92.243.14.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 68596A0571;
	Tue,  3 Mar 2020 19:00:11 +0100 (CET)
Received: from [92.243.14.124] (localhost [127.0.0.1])
	by dpdk.org (Postfix) with ESMTP id 779421C029;
	Tue,  3 Mar 2020 18:59:48 +0100 (CET)
Received: from mail-pg1-f195.google.com (mail-pg1-f195.google.com
 [209.85.215.195]) by dpdk.org (Postfix) with ESMTP id 469771C01B
 for <dev@dpdk.org>; Tue,  3 Mar 2020 18:59:46 +0100 (CET)
Received: by mail-pg1-f195.google.com with SMTP id m5so1905359pgg.0
 for <dev@dpdk.org>; Tue, 03 Mar 2020 09:59:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=networkplumber-org.20150623.gappssmtp.com; s=20150623;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=LjZDm1y9Bm3Y9T51ZbQPgdj+mQXmxtrPnw8e2sLhH+w=;
 b=fmGhWcq556D7HSfj15zwWxCJgSgF83+tpCVhYzcOw9xXpHqWtQaVC0jXPPdFDhHb7K
 ZAEh7AJym1AAV1/DWYYizPChNeqau+bRR5mjaFg1xcgGfuC5hcgsC8XEwXzYbte/xe3e
 7T7Gn9KvljbNYctk1WEFHQ8sJbwAq3dfQQBFR2W60lpRAxkvQhqRGmxT1pFtjecG3CHG
 XK82gg3SuHkzj82Bi4sgpfA4gxyq8KotkMlnHZYmaHiA+cj1d9dgjGRyPuCnwccxPbrT
 l1AO4soGmqfFpI0GAV1RpHKdRJITmfHJ+fDJinUzdcUpIYU+Fbt2J7RneMNRo7w3O6E9
 Nu8A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=LjZDm1y9Bm3Y9T51ZbQPgdj+mQXmxtrPnw8e2sLhH+w=;
 b=o/5ORhmku64r/gPCct2DyWZmwQELk08ZOtUHoGX9+gx8dOpncfw5lgG/Iy/415Go4o
 KOJpwRCDYVjKNlhdBWIiapedLrf1FbNip6PGetHjrttAOsaU7Ap+VfKGrf28rndrUses
 4wBtDKKu/IRrhNAFP2BCvlJRWas7KkX9ERdL0L7RuiMt8LlnxbuwymwdrylQODbfrxrV
 XEz6mZRM7+boqFR+Lt6NB27NgGFxtvZNQh+RF80GevFdaHd3OyMMyPHnyyS02Jr4mLfW
 ybfq7gytIuaWQl6hz7QKXCSJOJEvOA89LblOgdeS1S0XWao7RHCChTKteFepxCGb2Bnj
 ILwA==
X-Gm-Message-State: ANhLgQ2Xt1rR3kIPZLgHyHmCxVZaqdgk4fyN0mtYfX+8FvDTzmLONXRi
 pwes2Tj279HmbkvIWW2oddPqaw==
X-Google-Smtp-Source: ADFU+vur9sRjPRUABWf9oxQbPwe8YEst+U/h9Nv+CnQEV/lKoLyQxbEa6AqcSIg59mDO+hzjodLwrQ==
X-Received: by 2002:a63:2a4e:: with SMTP id q75mr5171280pgq.358.1583258385478; 
 Tue, 03 Mar 2020 09:59:45 -0800 (PST)
Received: from hermes.corp.microsoft.com (204-195-22-127.wavecable.com.
 [204.195.22.127])
 by smtp.gmail.com with ESMTPSA id w195sm22012158pfd.65.2020.03.03.09.59.44
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 03 Mar 2020 09:59:44 -0800 (PST)
From: Stephen Hemminger <stephen@networkplumber.org>
To: ajit.khaparde@broadcom.com,
	somnath.kotur@broadcom.com
Cc: dev@dpdk.org, Stephen Hemminger <stephen@networkplumber.org>,
 Christopher Ertl <Christopher.Ertl@microsoft.com>
Date: Tue,  3 Mar 2020 09:59:35 -0800
Message-Id: <20200303175938.14292-4-stephen@networkplumber.org>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20200303175938.14292-1-stephen@networkplumber.org>
References: <20200303175938.14292-1-stephen@networkplumber.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: [dpdk-dev] [PATCH 3/6] net/bnxt: avoid potential out of bounds read
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

If hardware returned a bogus number of vnic's  from the
query it could cause an out of bounds read into vnic table.

Reported-by: Christopher Ertl <Christopher.Ertl@microsoft.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
 drivers/net/bnxt/bnxt_hwrm.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/net/bnxt/bnxt_hwrm.c b/drivers/net/bnxt/bnxt_hwrm.c
index 20e2f6a36713..ad8bdb1c2913 100644
--- a/drivers/net/bnxt/bnxt_hwrm.c
+++ b/drivers/net/bnxt/bnxt_hwrm.c
@@ -4029,6 +4029,12 @@ static int bnxt_hwrm_func_vf_vnic_query(struct bnxt *bp, uint16_t vf,
 
 	HWRM_UNLOCK();
 
+	if (rc > bp->pf.total_vnics) {
+		PMD_DRV_LOG(ERR,
+			    "Vnic id %d is out of range\n", rc);
+		return -EINVAL;
+	}
+
 	return rc;
 }
 
-- 
2.20.1