On Mon, 2020-08-10 at 19:33 -0700, [email protected] wrote: > From: Stephen Hemminger <[email protected]> > > The data from the host is trusted but checked by the driver. > One check that is missing is that the packet offset and length > might cause wraparound. > > Cc: [email protected] > > Signed-off-by: Stephen Hemminger <[email protected]> > Signed-off-by: Long Li <[email protected]> > --- > drivers/net/netvsc/hn_rxtx.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/drivers/net/netvsc/hn_rxtx.c b/drivers/net/netvsc/hn_rxtx.c > index a388ff258..d8d3f07f5 100644 > --- a/drivers/net/netvsc/hn_rxtx.c > +++ b/drivers/net/netvsc/hn_rxtx.c > @@ -666,7 +666,8 @@ static void hn_rndis_rx_data(struct hn_rx_queue *rxq, > struct hn_rx_bufinfo *rxb, > void *data, uint32_t dlen) > { > - unsigned int data_off, data_len, pktinfo_off, pktinfo_len; > + unsigned int data_off, data_len, total_len; > + unsigned int pktinfo_off, pktinfo_len; > const struct rndis_packet_msg *pkt = data; > struct hn_rxinfo info = { > .vlan_info = HN_NDIS_VLAN_INFO_INVALID, > @@ -711,7 +712,8 @@ static void hn_rndis_rx_data(struct hn_rx_queue *rxq, > goto error; > } > > - if (unlikely(data_off + data_len > pkt->len)) > + if (__builtin_add_overflow(data_off, data_len, &total_len) || > + total_len > pkt->len) > goto error; > > if (unlikely(data_len < RTE_ETHER_HDR_LEN))
This patch breaks the build with GCC < 5 (CentOS 7, RHEL 7, SLE 12) as __builtin_add_overflow is not available. Could you please send a follow up to fix it? -- Kind regards, Luca Boccassi
