From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from dpdk.org (dpdk.org [92.243.14.124])
	by inbox.dpdk.org (Postfix) with ESMTP id E575EA0521;
	Thu,  5 Nov 2020 21:46:25 +0100 (CET)
Received: from [92.243.14.124] (localhost [127.0.0.1])
	by dpdk.org (Postfix) with ESMTP id 5E0E9126B;
	Thu,  5 Nov 2020 21:46:24 +0100 (CET)
Received: from shelob.oktetlabs.ru (shelob.oktetlabs.ru [91.220.146.113])
 by dpdk.org (Postfix) with ESMTP id BAEACF90
 for <dev@dpdk.org>; Thu,  5 Nov 2020 21:46:22 +0100 (CET)
Received: from localhost.localdomain (unknown [188.242.7.54])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by shelob.oktetlabs.ru (Postfix) with ESMTPSA id 122817F507;
 Thu,  5 Nov 2020 23:46:21 +0300 (MSK)
DKIM-Filter: OpenDKIM Filter v2.11.0 shelob.oktetlabs.ru 122817F507
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=oktetlabs.ru;
 s=default; t=1604609181;
 bh=W2ldxxGHcOSGUQd2vgcOJDTuBmqAPoVosUKWHrZ89CM=;
 h=From:To:Cc:Subject:Date;
 b=OX/Afe316nORNZZyZbtyVXLkai5hCb56DFqVBC5tzrZ4HcjhFc2L4Rexex3s7uIi/
 NjKi8Aux6+blSCVyTMEwJfxM8+EFW9SRwVK3spSO/dWGfbQ1HI5J2C+248OxQzcWYt
 Idql4HXZfgPilTUm6AI2/kNsRt3aCT8K68peEzAI=
From: Ivan Malov <ivan.malov@oktetlabs.ru>
To: dev@dpdk.org
Cc: Andy Moreton <amoreton@xilinx.com>,
 Andrew Rybchenko <andrew.rybchenko@oktetlabs.ru>
Date: Thu,  5 Nov 2020 23:46:12 +0300
Message-Id: <20201105204612.29881-1-ivan.malov@oktetlabs.ru>
X-Mailer: git-send-email 2.20.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: [dpdk-dev] [PATCH] common/sfc_efx/base: avoid reading past the
	buffer
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

Existing field ID validity check does not validate the field
descriptor availability. Make it more rigorous to avoid
reading past the buffer containing field descriptors.

Coverity issue: 363742
Fixes: 370ed675a952 ("common/sfc_efx/base: support setting PPORT in match spec")

Signed-off-by: Ivan Malov <ivan.malov@oktetlabs.ru>
Reviewed-by: Andy Moreton <amoreton@xilinx.com>
---
 drivers/common/sfc_efx/base/efx_mae.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/drivers/common/sfc_efx/base/efx_mae.c b/drivers/common/sfc_efx/base/efx_mae.c
index af9a5189c..ee0a3d319 100644
--- a/drivers/common/sfc_efx/base/efx_mae.c
+++ b/drivers/common/sfc_efx/base/efx_mae.c
@@ -622,25 +622,30 @@ efx_mae_match_spec_field_set(
 	__in_bcount(mask_size)		const uint8_t *mask)
 {
 	const efx_mae_mv_desc_t *descp;
+	unsigned int desc_set_nentries;
 	uint8_t *mvp;
 	efx_rc_t rc;
 
-	if (field_id >= EFX_MAE_FIELD_NIDS) {
-		rc = EINVAL;
-		goto fail1;
-	}
-
 	switch (spec->emms_type) {
 	case EFX_MAE_RULE_OUTER:
+		desc_set_nentries =
+		    EFX_ARRAY_SIZE(__efx_mae_outer_rule_mv_desc_set);
 		descp = &__efx_mae_outer_rule_mv_desc_set[field_id];
 		mvp = spec->emms_mask_value_pairs.outer;
 		break;
 	case EFX_MAE_RULE_ACTION:
+		desc_set_nentries =
+		    EFX_ARRAY_SIZE(__efx_mae_action_rule_mv_desc_set);
 		descp = &__efx_mae_action_rule_mv_desc_set[field_id];
 		mvp = spec->emms_mask_value_pairs.action;
 		break;
 	default:
 		rc = ENOTSUP;
+		goto fail1;
+	}
+
+	if (field_id >= desc_set_nentries) {
+		rc = EINVAL;
 		goto fail2;
 	}
 
-- 
2.20.1