From: Guojia Liao liaoguojia@huawei.com
driver inclusion category: bugfix bugzilla: NA CVE: NA
---------------------------------
The input parameters may not be reliable. Before using the rss hash key index, we should check this parameter. Otherwise out-of-bounds array may occur.
Signed-off-by: Guojia Liao liaoguojia@huawei.com Reviewed-by: Peng Li lipeng321@huawei.com Reviewed-by: Weiwei Deng dengweiwei@huawei.com Reviewed-by: Zhaohui Zhong zhongzhaohui@huawei.com Reviewed-by: Junxin Chen chenjunxin1@huawei.com Signed-off-by: Shengzui You youshengzui@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com --- .../ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+)
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c index 33ca01408cfcb..e04469cfb0b48 100644 --- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c +++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c @@ -672,6 +672,21 @@ static void hclge_get_rss_key(struct hclge_vport *vport,
index = mbx_req->msg.data[0];
+ /* The length of RSS key is large than the length of MBX response. + * So multiple times of copy is needed, which is the meaning of "index". + * And RSS key will be copied 'HCLGE_RSS_MBX_RESP_LEN' byte per time. + * If (index * HCLGE_RSS_MBX_RESP_LEN) large than + * (rss_key_size - HCLGE_RSS_MBX_RESP_LEN), it will cause + * "out-of-bounds array" error, So it's necessary to check with it. + */ + if (((index + 1) * HCLGE_RSS_MBX_RESP_LEN) > + sizeof(vport[0].rss_hash_key)) { + dev_warn(&hdev->pdev->dev, + "failed to get the rss hash key, the index(%u) invalid !\n", + index); + return; + } + memcpy(resp_msg->data, &hdev->vport[0].rss_hash_key[index * HCLGE_RSS_MBX_RESP_LEN], HCLGE_RSS_MBX_RESP_LEN);