From patchwork Tue Mar 3 17:59:36 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Hemminger X-Patchwork-Id: 66222 X-Patchwork-Delegate: ajit.khaparde@broadcom.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 29D74A0571; Tue, 3 Mar 2020 19:00:19 +0100 (CET) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id AAABA1C037; Tue, 3 Mar 2020 18:59:49 +0100 (CET) Received: from mail-pf1-f193.google.com (mail-pf1-f193.google.com [209.85.210.193]) by dpdk.org (Postfix) with ESMTP id 94BF61C021 for ; Tue, 3 Mar 2020 18:59:47 +0100 (CET) Received: by mail-pf1-f193.google.com with SMTP id 2so1830099pfg.12 for ; Tue, 03 Mar 2020 09:59:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=networkplumber-org.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=IY9fGot27Lx8SYjW7fmgxyV883jhkPL/rosb+0Y3skg=; b=O/EwGFaYtOA/02Wl4df/N02xpptw+tOeHH9uxmeW1oF/m9PuoczLPG9MPMPgvBynt6 Y3YTFjmJV//QUvDJNhzsHrpwXvpS8jHiiS8YBYVArUkihO5GATr3S3eFaY3WtbHjqixH 4DQuPn2aAEo+YErHKhpU9+bWuPRSIlw0DjwAu3x5EGqxhcXxHMCBJX3IpoTTvvC4IkPO GFsQYtkFOHk2GWCAKtYtcoga+7XAHLBm+ilAvg89m/7kvjI6Cc3WbnGewT+uKfaRpUt+ Hb9uy0M71TVav+8d99ayph81dtm5De5Md46P2LqYZUTc+CAqfRb8lsCtggWygkLix65e NQKQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=IY9fGot27Lx8SYjW7fmgxyV883jhkPL/rosb+0Y3skg=; b=XOn79gSa6y2Tc+JSVexG61Apw6dzt2EOUwVcuWfYS8s2s2zCFk1O6puY/BH6RF0DlI siU/ngjhg9K1C+O1At/VWESqwlEslTnGmpgCDJ565WqGdYyB3V85wTPm1U6qYuLLxg9S ALb0+E5fOO6gqMaSb34z9SxRqjAt5SbBZ1dlB1buv5UOJOSeJAqyj5xqhFuVqKecqNYZ W+EAfsvlIJUlryrtm5ENH5xMqhy5CBsrN2Dwm0t+YTXOE9FLUVkNpjRdxwzGdXp1taBG kDvC4H1R7UWwigVNWaxvutGzLF50yWGatenChSh6JTKBvd04LArvLYVvpRbdBDZ2WYKe bvAQ== X-Gm-Message-State: ANhLgQ2M6rQq/7S0Q2JR6ZIIp9tDHNk1tO6pvXqod59oFafo2v+rCmlk 4Iwm0r+QyaDIZ0eR+7LJVxpFQg== X-Google-Smtp-Source: ADFU+vuhLepTsyOlaFPGlxVWYk4ItjcTEbtFKbVulylJ0oD7wK1ABjg7QEhIiY594H2p6ckloc3RdQ== X-Received: by 2002:a62:7b4f:: with SMTP id w76mr5414983pfc.226.1583258386799; Tue, 03 Mar 2020 09:59:46 -0800 (PST) Received: from hermes.corp.microsoft.com (204-195-22-127.wavecable.com. [204.195.22.127]) by smtp.gmail.com with ESMTPSA id w195sm22012158pfd.65.2020.03.03.09.59.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 Mar 2020 09:59:45 -0800 (PST) From: Stephen Hemminger To: ajit.khaparde@broadcom.com, somnath.kotur@broadcom.com Cc: dev@dpdk.org, Stephen Hemminger , Christopher Ertl Date: Tue, 3 Mar 2020 09:59:36 -0800 Message-Id: <20200303175938.14292-5-stephen@networkplumber.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200303175938.14292-1-stephen@networkplumber.org> References: <20200303175938.14292-1-stephen@networkplumber.org> MIME-Version: 1.0 Subject: [dpdk-dev] [PATCH 4/6] net/bnxt: check for integer overflow in buffer sizing X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" If the hardware returns invalid values, the buffer size calculation could overflow. Check for this by using the GCC/Clang builtin that checks. Reported-by: Christopher Ertl Signed-off-by: Stephen Hemminger --- drivers/net/bnxt/bnxt_hwrm.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/net/bnxt/bnxt_hwrm.c b/drivers/net/bnxt/bnxt_hwrm.c index ad8bdb1c2913..6beb215d604f 100644 --- a/drivers/net/bnxt/bnxt_hwrm.c +++ b/drivers/net/bnxt/bnxt_hwrm.c @@ -11,6 +11,7 @@ #include #include #include +#include #include #include "bnxt.h" @@ -3861,7 +3862,9 @@ int bnxt_get_nvram_directory(struct bnxt *bp, uint32_t len, uint8_t *data) len -= 2; memset(data, 0xff, len); - buflen = dir_entries * entry_length; + if (rte_mul_overflow(dir_entries, entry_length, &buflen)) + return -EINVAL; + buf = rte_malloc("nvm_dir", buflen, 0); if (buf == NULL) return -ENOMEM;