From: <dan.carpenter@oracle.com>
To: kernel-janitors@vger.kernel.org
Subject: [bug report] Add support for the latest 1G/10G Chelsio adapter, T3.
Date: Mon, 20 Jul 2020 12:53:05 +0000 [thread overview]
Message-ID: <20200720125305.GA59894@mwanda> (raw)
Hi Vishal,
This is ancient code, but apparently you worked on it recently and no
good deed goes unpunished. ;)
The patch 4d22de3e6cc4: "Add support for the latest 1G/10G Chelsio
adapter, T3." from Jan 18, 2007, leads to the following static
checker warning:
drivers/net/ethernet/chelsio/cxgb3/sge.c:2086 rx_eth()
error: buffer overflow 'adap->port' 2 <= 15 user_rl='0-15' uncapped
drivers/net/ethernet/chelsio/cxgb3/sge.c
2078 static void rx_eth(struct adapter *adap, struct sge_rspq *rq,
2079 struct sk_buff *skb, int pad, int lro)
2080 {
2081 struct cpl_rx_pkt *p = (struct cpl_rx_pkt *)(skb->data + pad);
^^^^^^^^^
Smatch distrusts skb->data.
2082 struct sge_qset *qs = rspq_to_qset(rq);
2083 struct port_info *pi;
2084
2085 skb_pull(skb, sizeof(*p) + pad);
2086 skb->protocol = eth_type_trans(skb, adap->port[p->iff]);
^^^^^^
So it says that this can crash. The ->port array only has two elements
and p->iff can go up to 16. This seems like a valid bug. I'm not
really sure how to address it..
2087 pi = netdev_priv(skb->dev);
2088 if ((skb->dev->features & NETIF_F_RXCSUM) && p->csum_valid &&
2089 p->csum = htons(0xffff) && !p->fragment) {
2090 qs->port_stats[SGE_PSTAT_RX_CSUM_GOOD]++;
2091 skb->ip_summed = CHECKSUM_UNNECESSARY;
2092 } else
2093 skb_checksum_none_assert(skb);
2094 skb_record_rx_queue(skb, qs - &adap->sge.qs[pi->first_qset]);
2095
2096 if (p->vlan_valid) {
2097 qs->port_stats[SGE_PSTAT_VLANEX]++;
2098 __vlan_hwaccel_put_tag(skb, htons(ETH_P_8021Q), ntohs(p->vlan));
2099 }
2100 if (rq->polling) {
2101 if (lro)
regards,
dan carpenter
next reply other threads:[~2020-07-20 12:53 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-20 12:53 dan.carpenter [this message]
-- strict thread matches above, loose matches on Subject: below --
2018-01-23 9:50 [bug report] Add support for the latest 1G/10G Chelsio adapter, T3 Dan Carpenter
2017-11-29 11:49 Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200720125305.GA59894@mwanda \
--to=dan.carpenter@oracle.com \
--cc=kernel-janitors@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.