net: ethernet: mvpp2_main: fix possible OOB write in mvpp2_ethtool_get_rxnfc()
[ Upstream commit51fe0a4705
] rules is allocated in ethtool_get_rxnfc and the size is determined by rule_cnt from user space. So rule_cnt needs to be check before using rules to avoid OOB writing or NULL pointer dereference. Fixes:90b509b39a
("net: mvpp2: cls: Add Classification offload support") Signed-off-by: Hangyu Hua <hbh25y@gmail.com> Reviewed-by: Marcin Wojtas <mw@semihalf.com> Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
Родитель
06b4934ab2
Коммит
5bb09dddc7
|
@ -5572,6 +5572,11 @@ static int mvpp2_ethtool_get_rxnfc(struct net_device *dev,
|
||||||
break;
|
break;
|
||||||
case ETHTOOL_GRXCLSRLALL:
|
case ETHTOOL_GRXCLSRLALL:
|
||||||
for (i = 0; i < MVPP2_N_RFS_ENTRIES_PER_FLOW; i++) {
|
for (i = 0; i < MVPP2_N_RFS_ENTRIES_PER_FLOW; i++) {
|
||||||
|
if (loc == info->rule_cnt) {
|
||||||
|
ret = -EMSGSIZE;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
if (port->rfs_rules[i])
|
if (port->rfs_rules[i])
|
||||||
rules[loc++] = i;
|
rules[loc++] = i;
|
||||||
}
|
}
|
||||||
|
|
Загрузка…
Ссылка в новой задаче