From: Stephen Hemminger <step...@networkplumber.org>
The data from the host is trusted but checked by the driver.
One check that is missing is that the packet offset and length
might cause wraparound.
Cc: sta...@dpdk.org
Signed-off-by: Stephen Hemminger <step...@networkplumber.org>
Signed-off-by: Long Li <lon...@microsoft.com>
---
drivers/net/netvsc/hn_rxtx.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/net/netvsc/hn_rxtx.c b/drivers/net/netvsc/hn_rxtx.c
index a388ff258..d8d3f07f5 100644
--- a/drivers/net/netvsc/hn_rxtx.c
+++ b/drivers/net/netvsc/hn_rxtx.c
@@ -666,7 +666,8 @@ static void hn_rndis_rx_data(struct hn_rx_queue *rxq,
struct hn_rx_bufinfo *rxb,
void *data, uint32_t dlen)
{
- unsigned int data_off, data_len, pktinfo_off, pktinfo_len;
+ unsigned int data_off, data_len, total_len;
+ unsigned int pktinfo_off, pktinfo_len;
const struct rndis_packet_msg *pkt = data;
struct hn_rxinfo info = {
.vlan_info = HN_NDIS_VLAN_INFO_INVALID,
@@ -711,7 +712,8 @@ static void hn_rndis_rx_data(struct hn_rx_queue *rxq,
goto error;
}
- if (unlikely(data_off + data_len > pkt->len))
+ if (__builtin_add_overflow(data_off, data_len, &total_len) ||
+ total_len > pkt->len)
goto error;
if (unlikely(data_len < RTE_ETHER_HDR_LEN))
--
2.25.1
