[PATCH] net/hinic: Fix out-of-bounds when receiving mbox messages

From: Chiqijun chiqijun@huawei.com

driver inclusion category: bugfix bugzilla: 4472

-----------------------------------------------------------------------

When the last fragment message of mbox/mgmt message exceeds 32 bytes, the copy will be out of bounds, so the length of the last fragment needs to be judged.

Signed-off-by: Chiqijun chiqijun@huawei.com Reviewed-by: Zengweiliang zengweiliang.zengweiliang@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com --- drivers/net/ethernet/huawei/hinic/hinic_mbox.c | 4 ++++ drivers/net/ethernet/huawei/hinic/hinic_mgmt.c | 5 +++++ 2 files changed, 9 insertions(+)

diff --git a/drivers/net/ethernet/huawei/hinic/hinic_mbox.c b/drivers/net/ethernet/huawei/hinic/hinic_mbox.c index 32c27a1df78f..add76893055d 100644 --- a/drivers/net/ethernet/huawei/hinic/hinic_mbox.c +++ b/drivers/net/ethernet/huawei/hinic/hinic_mbox.c @@ -142,6 +142,8 @@ enum hinic_mbox_tx_status {

#define SEQ_ID_START_VAL 0 #define SEQ_ID_MAX_VAL 42 +#define MBOX_LAST_SEG_MAX_LEN (MBOX_MAX_BUF_SZ - \ + SEQ_ID_MAX_VAL * MBOX_SEG_LEN)

#define DST_AEQ_IDX_DEFAULT_VAL 0 #define SRC_AEQ_IDX_DEFAULT_VAL 0 @@ -659,6 +661,8 @@ static bool check_mbox_seq_id_and_seg_len(struct hinic_recv_mbox *recv_mbox, { if (seq_id > SEQ_ID_MAX_VAL || seg_len > MBOX_SEG_LEN) return false; + else if (seq_id == SEQ_ID_MAX_VAL && seg_len > MBOX_LAST_SEG_MAX_LEN) + return false;

if (seq_id == 0) { recv_mbox->seq_id = seq_id; diff --git a/drivers/net/ethernet/huawei/hinic/hinic_mgmt.c b/drivers/net/ethernet/huawei/hinic/hinic_mgmt.c index dadb7cc0588b..ac9988710cad 100644 --- a/drivers/net/ethernet/huawei/hinic/hinic_mgmt.c +++ b/drivers/net/ethernet/huawei/hinic/hinic_mgmt.c @@ -45,6 +45,8 @@ SEGMENT_LEN) / SEGMENT_LEN)

#define MAX_PF_MGMT_BUF_SIZE 2048UL +#define MGMT_MSG_LAST_SEG_MAX_LEN (MAX_PF_MGMT_BUF_SIZE - \ + SEGMENT_LEN * MGMT_MSG_MAX_SEQ_ID)

#define MGMT_MSG_SIZE_MIN 20 #define MGMT_MSG_SIZE_STEP 16 @@ -1122,6 +1124,9 @@ static bool check_mgmt_seq_id_and_seg_len(struct hinic_recv_msg *recv_msg, { if (seq_id > MGMT_MSG_MAX_SEQ_ID || seg_len > SEGMENT_LEN) return false; + else if (seq_id == MGMT_MSG_MAX_SEQ_ID && + seg_len > MGMT_MSG_LAST_SEG_MAX_LEN) + return false;

if (seq_id == 0) { recv_msg->seq_id = seq_id;