Commit a66998e0 authored by Teng Qi's avatar Teng Qi Committed by David S. Miller

ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in...

ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in hns_dsaf_ge_srst_by_port()

The if statement:
  if (port >= DSAF_GE_NUM)
        return;

limits the value of port less than DSAF_GE_NUM (i.e., 8).
However, if the value of port is 6 or 7, an array overflow could occur:
  port_rst_off = dsaf_dev->mac_cb[port]->port_rst_off;

because the length of dsaf_dev->mac_cb is DSAF_MAX_PORT_NUM (i.e., 6).

To fix this possible array overflow, we first check port and if it is
greater than or equal to DSAF_MAX_PORT_NUM, the function returns.
Reported-by: default avatarTOTE Robot <oslab@tsinghua.edu.cn>
Signed-off-by: default avatarTeng Qi <starmiku1207184332@gmail.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent a280ef90
...@@ -400,6 +400,10 @@ static void hns_dsaf_ge_srst_by_port(struct dsaf_device *dsaf_dev, u32 port, ...@@ -400,6 +400,10 @@ static void hns_dsaf_ge_srst_by_port(struct dsaf_device *dsaf_dev, u32 port,
return; return;
if (!HNS_DSAF_IS_DEBUG(dsaf_dev)) { if (!HNS_DSAF_IS_DEBUG(dsaf_dev)) {
/* DSAF_MAX_PORT_NUM is 6, but DSAF_GE_NUM is 8.
We need check to prevent array overflow */
if (port >= DSAF_MAX_PORT_NUM)
return;
reg_val_1 = 0x1 << port; reg_val_1 = 0x1 << port;
port_rst_off = dsaf_dev->mac_cb[port]->port_rst_off; port_rst_off = dsaf_dev->mac_cb[port]->port_rst_off;
/* there is difference between V1 and V2 in register.*/ /* there is difference between V1 and V2 in register.*/
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment