diff mbox series

[4/6] net/bnxt: check for integer overflow in buffer sizing

Message ID 20200303175938.14292-5-stephen@networkplumber.org (mailing list archive)
State Changes Requested, archived
Delegated to: Ajit Khaparde
Headers
Series net/bnxt: bounds checking patches |

Checks

Context Check Description
ci/checkpatch success coding style OK
ci/Intel-compilation success Compilation OK

Commit Message

Stephen Hemminger March 3, 2020, 5:59 p.m. UTC 
  If the hardware returns invalid values, the buffer size calculation
could overflow.  Check for this by using the GCC/Clang builtin
that checks.

Reported-by: Christopher Ertl <Christopher.Ertl@microsoft.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
 drivers/net/bnxt/bnxt_hwrm.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/drivers/net/bnxt/bnxt_hwrm.c b/drivers/net/bnxt/bnxt_hwrm.c
index ad8bdb1c2913..6beb215d604f 100644
--- a/drivers/net/bnxt/bnxt_hwrm.c
+++ b/drivers/net/bnxt/bnxt_hwrm.c
@@ -11,6 +11,7 @@ 
 #include <rte_malloc.h>
 #include <rte_memzone.h>
 #include <rte_version.h>
+#include <rte_overflow.h>
 #include <rte_io.h>
 
 #include "bnxt.h"
@@ -3861,7 +3862,9 @@  int bnxt_get_nvram_directory(struct bnxt *bp, uint32_t len, uint8_t *data)
 	len -= 2;
 	memset(data, 0xff, len);
 
-	buflen = dir_entries * entry_length;
+	if (rte_mul_overflow(dir_entries, entry_length, &buflen))
+		return -EINVAL;
+
 	buf = rte_malloc("nvm_dir", buflen, 0);
 	if (buf == NULL)
 		return -ENOMEM;