From: Stephen Hemminger <stephen@networkplumber.org>
To: ajit.khaparde@broadcom.com, somnath.kotur@broadcom.com
Cc: dev@dpdk.org, Stephen Hemminger <stephen@networkplumber.org>,
Christopher Ertl <Christopher.Ertl@microsoft.com>
Subject: [dpdk-dev] [PATCH 4/6] net/bnxt: check for integer overflow in buffer sizing
Date: Tue, 3 Mar 2020 09:59:36 -0800 [thread overview]
Message-ID: <20200303175938.14292-5-stephen@networkplumber.org> (raw)
In-Reply-To: <20200303175938.14292-1-stephen@networkplumber.org>
If the hardware returns invalid values, the buffer size calculation
could overflow. Check for this by using the GCC/Clang builtin
that checks.
Reported-by: Christopher Ertl <Christopher.Ertl@microsoft.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/bnxt/bnxt_hwrm.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/net/bnxt/bnxt_hwrm.c b/drivers/net/bnxt/bnxt_hwrm.c
index ad8bdb1c2913..6beb215d604f 100644
--- a/drivers/net/bnxt/bnxt_hwrm.c
+++ b/drivers/net/bnxt/bnxt_hwrm.c
@@ -11,6 +11,7 @@
#include <rte_malloc.h>
#include <rte_memzone.h>
#include <rte_version.h>
+#include <rte_overflow.h>
#include <rte_io.h>
#include "bnxt.h"
@@ -3861,7 +3862,9 @@ int bnxt_get_nvram_directory(struct bnxt *bp, uint32_t len, uint8_t *data)
len -= 2;
memset(data, 0xff, len);
- buflen = dir_entries * entry_length;
+ if (rte_mul_overflow(dir_entries, entry_length, &buflen))
+ return -EINVAL;
+
buf = rte_malloc("nvm_dir", buflen, 0);
if (buf == NULL)
return -ENOMEM;
--
2.20.1
next prev parent reply other threads:[~2020-03-03 18:00 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-03 17:59 [dpdk-dev] [PATCH 0/6] net/bnxt: bounds checking patches Stephen Hemminger
2020-03-03 17:59 ` [dpdk-dev] [PATCH 1/6] eal: add portable way to check for math overflow Stephen Hemminger
2020-03-03 22:28 ` Dmitry Kozlyuk
2020-03-03 17:59 ` [dpdk-dev] [PATCH 2/6] net/bnxt: fix potential data race Stephen Hemminger
2020-03-03 18:13 ` [dpdk-dev] [EXTERNAL] " Christopher Ertl
2020-03-03 18:16 ` Stephen Hemminger
2020-03-03 17:59 ` [dpdk-dev] [PATCH 3/6] net/bnxt: avoid potential out of bounds read Stephen Hemminger
2020-03-03 17:59 ` Stephen Hemminger [this message]
2020-03-03 17:59 ` [dpdk-dev] [PATCH 5/6] net/bnxt: add integer underflow check Stephen Hemminger
2020-03-03 17:59 ` [dpdk-dev] [PATCH 6/6] net/bnxt: sanitize max_l2_ctx Stephen Hemminger
2020-03-31 11:47 ` [dpdk-dev] [PATCH 0/6] net/bnxt: bounds checking patches Ferruh Yigit
2020-03-31 17:52 ` Ajit Khaparde
2020-03-31 18:04 ` Stephen Hemminger
2020-10-19 22:28 ` Thomas Monjalon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200303175938.14292-5-stephen@networkplumber.org \
--to=stephen@networkplumber.org \
--cc=Christopher.Ertl@microsoft.com \
--cc=ajit.khaparde@broadcom.com \
--cc=dev@dpdk.org \
--cc=somnath.kotur@broadcom.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).