Commit d5be9df0 authored by Alice Michael's avatar Alice Michael Committed by Greg Kroah-Hartman

virtchnl: Fix off by one error

[ Upstream commit 843faff8 ]

When calculating the valid length for a VIRTCHNL_OP_ENABLE_CHANNELS
message, we accidentally allowed messages with one extra
virtchnl_channel_info structure on the end. This happened due
to an off by one error, because we forgot that valid_len already
accounted for one virtchnl_channel_info structure, so we need to
subtract one from the num_tc value.
Signed-off-by: default avatarAlice Michael <alice.michael@intel.com>
Tested-by: default avatarAndrew Bowers <andrewx.bowers@intel.com>
Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
parent ea962fa1
...@@ -798,8 +798,8 @@ virtchnl_vc_validate_vf_msg(struct virtchnl_version_info *ver, u32 v_opcode, ...@@ -798,8 +798,8 @@ virtchnl_vc_validate_vf_msg(struct virtchnl_version_info *ver, u32 v_opcode,
if (msglen >= valid_len) { if (msglen >= valid_len) {
struct virtchnl_tc_info *vti = struct virtchnl_tc_info *vti =
(struct virtchnl_tc_info *)msg; (struct virtchnl_tc_info *)msg;
valid_len += vti->num_tc * valid_len += (vti->num_tc - 1) *
sizeof(struct virtchnl_channel_info); sizeof(struct virtchnl_channel_info);
if (vti->num_tc == 0) if (vti->num_tc == 0)
err_msg_format = true; err_msg_format = true;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment