On 10/28/2020 11:08 AM, Luca Boccassi wrote:
On Tue, 2020-10-27 at 23:07 +0000, Ferruh Yigit wrote:
On 10/27/2020 5:10 PM, Luca Boccassi wrote:
On Mon, 2020-08-10 at 19:33 -0700, [email protected] wrote:
From: Stephen Hemminger <[email protected]>
The data from the host is trusted but checked by the driver.
One check that is missing is that the packet offset and length
might cause wraparound.
Cc: [email protected]
Signed-off-by: Stephen Hemminger <[email protected]>
Signed-off-by: Long Li <[email protected]>
---
drivers/net/netvsc/hn_rxtx.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/net/netvsc/hn_rxtx.c b/drivers/net/netvsc/hn_rxtx.c
index a388ff258..d8d3f07f5 100644
--- a/drivers/net/netvsc/hn_rxtx.c
+++ b/drivers/net/netvsc/hn_rxtx.c
@@ -666,7 +666,8 @@ static void hn_rndis_rx_data(struct hn_rx_queue *rxq,
struct hn_rx_bufinfo *rxb,
void *data, uint32_t dlen)
{
- unsigned int data_off, data_len, pktinfo_off, pktinfo_len;
+ unsigned int data_off, data_len, total_len;
+ unsigned int pktinfo_off, pktinfo_len;
const struct rndis_packet_msg *pkt = data;
struct hn_rxinfo info = {
.vlan_info = HN_NDIS_VLAN_INFO_INVALID,
@@ -711,7 +712,8 @@ static void hn_rndis_rx_data(struct hn_rx_queue *rxq,
goto error;
}
- if (unlikely(data_off + data_len > pkt->len))
+ if (__builtin_add_overflow(data_off, data_len, &total_len) ||
+ total_len > pkt->len)
goto error;
if (unlikely(data_len < RTE_ETHER_HDR_LEN))
This patch breaks the build with GCC < 5 (CentOS 7, RHEL 7, SLE 12) as
__builtin_add_overflow is not available. Could you please send a follow
up to fix it?
It should be already fixed in the repo:
https://git.dpdk.org/dpdk/commit/?id=d73543b5f46d
Are you getting the build error with 20.11-rc1?
No, with the backport. The original patch was marked for stable, but
the fixup was not.
Yes, it should be also marked for stable, seems missed.
I'll pick it up.
Thanks.
