From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 14069A04D6; Tue, 11 Aug 2020 04:33:59 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 3622A1C08C; Tue, 11 Aug 2020 04:33:46 +0200 (CEST) Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by dpdk.org (Postfix) with ESMTP id 8C4C51C08C; Tue, 11 Aug 2020 04:33:44 +0200 (CEST) Received: by linux.microsoft.com (Postfix, from userid 1004) id E076420B4908; Mon, 10 Aug 2020 19:33:43 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com E076420B4908 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxonhyperv.com; s=default; t=1597113223; bh=WVckJmi8AGdCCwJtbzVpWAlX8XBX+WYKyfGJInxn5f0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=J1LFhnLATHaBbXmSuuwGMJUwgiKjR2ErZsJ2zX5rQwhaXgGeqr6PS/GKvzhqqBHSt 9Z+pyZnjdLoroqS3+wuPifEMe/u2WFc7nFJUI44Be32ujYU72j9VMq9Gxyp2nw30nA qEZXKhO3WORbocdgUYNENBCcJ6QJeOVplvNzZ8vw= From: longli@linuxonhyperv.com To: "K. Y. Srinivasan" , Haiyang Zhang , Stephen Hemminger Cc: dev@dpdk.org, Stephen Hemminger , stable@dpdk.org, Long Li Date: Mon, 10 Aug 2020 19:33:14 -0700 Message-Id: <1597113194-90208-4-git-send-email-longli@linuxonhyperv.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1597113194-90208-1-git-send-email-longli@linuxonhyperv.com> References: <1597113194-90208-1-git-send-email-longli@linuxonhyperv.com> Subject: [dpdk-dev] [PATCH 4/4] net/netvsc: check for overflow on packet info from host X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" From: Stephen Hemminger The data from the host is trusted but checked by the driver. One check that is missing is that the packet offset and length might cause wraparound. Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger Signed-off-by: Long Li --- drivers/net/netvsc/hn_rxtx.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/net/netvsc/hn_rxtx.c b/drivers/net/netvsc/hn_rxtx.c index a388ff258..d8d3f07f5 100644 --- a/drivers/net/netvsc/hn_rxtx.c +++ b/drivers/net/netvsc/hn_rxtx.c @@ -666,7 +666,8 @@ static void hn_rndis_rx_data(struct hn_rx_queue *rxq, struct hn_rx_bufinfo *rxb, void *data, uint32_t dlen) { - unsigned int data_off, data_len, pktinfo_off, pktinfo_len; + unsigned int data_off, data_len, total_len; + unsigned int pktinfo_off, pktinfo_len; const struct rndis_packet_msg *pkt = data; struct hn_rxinfo info = { .vlan_info = HN_NDIS_VLAN_INFO_INVALID, @@ -711,7 +712,8 @@ static void hn_rndis_rx_data(struct hn_rx_queue *rxq, goto error; } - if (unlikely(data_off + data_len > pkt->len)) + if (__builtin_add_overflow(data_off, data_len, &total_len) || + total_len > pkt->len) goto error; if (unlikely(data_len < RTE_ETHER_HDR_LEN)) -- 2.25.1