Commit 51fe0a47 authored by Hangyu Hua's avatar Hangyu Hua Committed by David S. Miller

net: ethernet: mvpp2_main: fix possible OOB write in mvpp2_ethtool_get_rxnfc()

rules is allocated in ethtool_get_rxnfc and the size is determined by
rule_cnt from user space. So rule_cnt needs to be check before using
rules to avoid OOB writing or NULL pointer dereference.

Fixes: 90b509b3 ("net: mvpp2: cls: Add Classification offload support")
Signed-off-by: default avatarHangyu Hua <hbh25y@gmail.com>
Reviewed-by: default avatarMarcin Wojtas <mw@semihalf.com>
Reviewed-by: default avatarRussell King (Oracle) <rmk+kernel@armlinux.org.uk>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 9b90aca9
...@@ -5586,6 +5586,11 @@ static int mvpp2_ethtool_get_rxnfc(struct net_device *dev, ...@@ -5586,6 +5586,11 @@ static int mvpp2_ethtool_get_rxnfc(struct net_device *dev,
break; break;
case ETHTOOL_GRXCLSRLALL: case ETHTOOL_GRXCLSRLALL:
for (i = 0; i < MVPP2_N_RFS_ENTRIES_PER_FLOW; i++) { for (i = 0; i < MVPP2_N_RFS_ENTRIES_PER_FLOW; i++) {
if (loc == info->rule_cnt) {
ret = -EMSGSIZE;
break;
}
if (port->rfs_rules[i]) if (port->rfs_rules[i])
rules[loc++] = i; rules[loc++] = i;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment