Existing field ID validity check does not validate the field
descriptor availability. Make it more rigorous to avoid
reading past the buffer containing field descriptors.
Coverity issue: 363742
Fixes: 370ed675a952 ("common/sfc_efx/base: support setting PPORT in match spec")
Signed-off-by: Ivan Malov <ivan.ma...@oktetlabs.ru>
Reviewed-by: Andy Moreton <amore...@xilinx.com>
---
drivers/common/sfc_efx/base/efx_mae.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/drivers/common/sfc_efx/base/efx_mae.c
b/drivers/common/sfc_efx/base/efx_mae.c
index af9a5189c..ee0a3d319 100644
--- a/drivers/common/sfc_efx/base/efx_mae.c
+++ b/drivers/common/sfc_efx/base/efx_mae.c
@@ -622,25 +622,30 @@ efx_mae_match_spec_field_set(
__in_bcount(mask_size) const uint8_t *mask)
{
const efx_mae_mv_desc_t *descp;
+ unsigned int desc_set_nentries;
uint8_t *mvp;
efx_rc_t rc;
- if (field_id >= EFX_MAE_FIELD_NIDS) {
- rc = EINVAL;
- goto fail1;
- }
-
switch (spec->emms_type) {
case EFX_MAE_RULE_OUTER:
+ desc_set_nentries =
+ EFX_ARRAY_SIZE(__efx_mae_outer_rule_mv_desc_set);
descp = &__efx_mae_outer_rule_mv_desc_set[field_id];
mvp = spec->emms_mask_value_pairs.outer;
break;
case EFX_MAE_RULE_ACTION:
+ desc_set_nentries =
+ EFX_ARRAY_SIZE(__efx_mae_action_rule_mv_desc_set);
descp = &__efx_mae_action_rule_mv_desc_set[field_id];
mvp = spec->emms_mask_value_pairs.action;
break;
default:
rc = ENOTSUP;
+ goto fail1;
+ }
+
+ if (field_id >= desc_set_nentries) {
+ rc = EINVAL;
goto fail2;
}
--
2.20.1
