If the hardware returns invalid values, the buffer size calculation could overflow. Check for this by using the GCC/Clang builtin that checks.
Reported-by: Christopher Ertl <christopher.e...@microsoft.com> Signed-off-by: Stephen Hemminger <step...@networkplumber.org> --- drivers/net/bnxt/bnxt_hwrm.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/net/bnxt/bnxt_hwrm.c b/drivers/net/bnxt/bnxt_hwrm.c index ad8bdb1c2913..6beb215d604f 100644 --- a/drivers/net/bnxt/bnxt_hwrm.c +++ b/drivers/net/bnxt/bnxt_hwrm.c @@ -11,6 +11,7 @@ #include <rte_malloc.h> #include <rte_memzone.h> #include <rte_version.h> +#include <rte_overflow.h> #include <rte_io.h> #include "bnxt.h" @@ -3861,7 +3862,9 @@ int bnxt_get_nvram_directory(struct bnxt *bp, uint32_t len, uint8_t *data) len -= 2; memset(data, 0xff, len); - buflen = dir_entries * entry_length; + if (rte_mul_overflow(dir_entries, entry_length, &buflen)) + return -EINVAL; + buf = rte_malloc("nvm_dir", buflen, 0); if (buf == NULL) return -ENOMEM; -- 2.20.1