[PATCH] mlx4: Fix out of bounds access in __mlx4_register_mac()

[PATCH] mlx4: Fix out of bounds access in __mlx4_register_mac()

[Kery Qi]

__mlx4_register_mac() searches for a free MAC table slot using
`free = -1`. If the requested MAC is not found and there is no
free entry (all refs[] are non-zero), the scan may finish with
`free` still -1, yet the code later uses it as an array index
(entries/refs/is_dup), causing an out-of-bounds access.

Fix this by checking `free < 0` after the scan (and mf-bond slot
selection) and returning an error before touching the arrays.

This matches the same bug pattern fixed by CVE-2010-5332 in
mlx4_register_mac()/mlx4_register_vlan().

Signed-off-by: Kery Qi <qikeyu2017@gmail.com>
---
 drivers/net/ethernet/mellanox/mlx4/port.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/net/ethernet/mellanox/mlx4/port.c b/drivers/net/ethernet/mellanox/mlx4/port.c
index e3d0b13c1610..ff1cce138357 100644
--- a/drivers/net/ethernet/mellanox/mlx4/port.c
+++ b/drivers/net/ethernet/mellanox/mlx4/port.c
@@ -267,6 +267,11 @@ int __mlx4_register_mac(struct mlx4_dev *dev, u8 port, u64 mac)
 	if (need_mf_bond && can_mf_bond)
 		free = free_for_dup;
 
+	if (free < 0) {
+		err = -ENOMEM;
+		goto out;
+	}
+
 	mlx4_dbg(dev, "Free MAC index is %d\n", free);
 
 	if (table->total == table->max) {
-- 
2.34.1