From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 701C845849; Fri, 23 Aug 2024 12:51:48 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id A316343336; Fri, 23 Aug 2024 12:51:28 +0200 (CEST) Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.9]) by mails.dpdk.org (Postfix) with ESMTP id 84F9B43330 for ; Fri, 23 Aug 2024 12:51:27 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1724410287; x=1755946287; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=0eMV5S4lHeum9EmC8SLxPxgSFxFHF5YYwPo6nAQiGZ8=; b=R6OeZzMkQp8cUGdj3haNaJRqbf2PLaYJTWQ29Mv3QkOcMk3twCcAgtiN S2Nmi6Ngxu6O2cx0u+t6YZuLPqTYxISLxzxoc+mylKa5uRCbf5XA3wRnM TCZjHak7bYzeDiMLDhzhyzL8R6HAZ+J8Sa4vyClXUhltBMmFongRLgThz DgngyubE4wWMa0oyTHMPFysyaJncZu+DCiCnyV/7sfR38pClItPPAgFaK CgBNPAnYbIyzqIRoS2C2EliWCJz/z7tQihxIYf1Z3fnL03xtaVm4gUBJt ti9ixSIA0gdBBjjox1ewGuFORBQsGMmmkoePKBTJH700EwgK0cRTNIuwe g==; X-CSE-ConnectionGUID: 6G+ZKjHGQ9qDcbjvUpcj1g== X-CSE-MsgGUID: dQDz3C5CTmqqaFIfN9brNA== X-IronPort-AV: E=McAfee;i="6700,10204,11172"; a="33535635" X-IronPort-AV: E=Sophos;i="6.10,170,1719903600"; d="scan'208";a="33535635" Received: from orviesa010.jf.intel.com ([10.64.159.150]) by fmvoesa103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 23 Aug 2024 03:51:27 -0700 X-CSE-ConnectionGUID: xK43QqYyQoqbtf3gqEcfnQ== X-CSE-MsgGUID: /WYySfvHTiWavbdO/8EUnQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.10,170,1719903600"; d="scan'208";a="61617682" Received: from unknown (HELO npf-hyd-clx-03..) ([10.145.170.182]) by orviesa010.jf.intel.com with ESMTP; 23 Aug 2024 03:51:25 -0700 From: Soumyadeep Hore To: bruce.richardson@intel.com, ian.stokes@intel.com, aman.deep.singh@intel.com Cc: dev@dpdk.org, shaiq.wani@intel.com, Jacob Keller Subject: [PATCH v3 04/12] net/ice: avoid reading past end of PFA Date: Fri, 23 Aug 2024 09:56:42 +0000 Message-ID: <20240823095650.349785-5-soumyadeep.hore@intel.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240823095650.349785-1-soumyadeep.hore@intel.com> References: <20240822185346.221885-13-soumyadeep.hore@intel.com> <20240823095650.349785-1-soumyadeep.hore@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org From: Jacob Keller The ice_get_pfa_module_tlv() function iterates over the Preserved Fields Area to read data from the Shadow RAM, including the Part Board Assembly data, among others. If the specific TLV being requested is not found in the current NVM, the code will read past the end of the PFA, misinterpreting the last word of the PFA and the word just after the PFA as another TLV. This typically results in one extra iteration before the length check of the while loop is triggered. Signed-off-by: Jacob Keller Signed-off-by: Soumyadeep Hore --- drivers/net/ice/base/ice_nvm.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/net/ice/base/ice_nvm.c b/drivers/net/ice/base/ice_nvm.c index 5e982de4b5..0124cef04c 100644 --- a/drivers/net/ice/base/ice_nvm.c +++ b/drivers/net/ice/base/ice_nvm.c @@ -498,11 +498,16 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, ice_debug(hw, ICE_DBG_INIT, "Failed to read PFA length.\n"); return status; } - /* Starting with first TLV after PFA length, iterate through the list + /* The Preserved Fields Area contains a sequence of TLVs which define + * its contents. The PFA length includes all of the TLVs, plus its + * initial length word itself, *and* one final word at the end of all + * of the TLVs. + * + * Starting with first TLV after PFA length, iterate through the list * of TLVs to find the requested one. */ next_tlv = pfa_ptr + 1; - while (next_tlv < ((u32)pfa_ptr + pfa_len)) { + while (next_tlv < ((u32)pfa_ptr + pfa_len - 1)) { u16 tlv_sub_module_type; u16 tlv_len; -- 2.43.0