From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-qv1-f45.google.com (mail-qv1-f45.google.com [209.85.219.45])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id DD268273D77
	for <linux-kernel@vger.kernel.org>; Wed, 22 Apr 2026 16:05:14 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.45
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1776873916; cv=none; b=qi+myp2T1FDeFsZvF0eQiTSKdbk8AXDWBF5+thXw8+ZapWCjPSlfyRnDyQtcTJIxKfnEdMss6zofk0CAgEC9wj2tvYDX6HQOsvbKfdYgIkj5AfSNVoc14lAYsSOsTm4408dnsChHWk2oXEpaQKtS9GHT+E5vGImdDZhctWOwkhY=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1776873916; c=relaxed/simple;
	bh=AtnVryVx9lrXSxBtUvHjd0g9UDr19+73eoU6BB1Ndsw=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version; b=hEoeNUn1Dt1mAFIZFLtB8CYQ2ClqWHdvyQKJT8LZRdvWEWn9mKrWrBk2TVwDHoxWvooy8RGFdV2ay2OcKrFvcd9KFyZ4FeYRCPaxRj+spWMKLK4i5ObzBoB9NQYt9Fx7EqIgyAGbWgsmaPJAikNSc+MATUfKID0M2PzxP8MbdJI=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=aLdUHqnY; arc=none smtp.client-ip=209.85.219.45
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="aLdUHqnY"
Received: by mail-qv1-f45.google.com with SMTP id 6a1803df08f44-899d6b7b073so59233106d6.2
        for <linux-kernel@vger.kernel.org>; Wed, 22 Apr 2026 09:05:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1776873914; x=1777478714; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=LAsi8zUH7ChWQsvBus194I1lIQB9uLlb+xLBIearhJU=;
        b=aLdUHqnYoPmjaVv77TbajnV64t+k67UNr+/eSkA92z9mGge6w60zePtKDJkemqRBsz
         FaVj66iKYrFVWCzc6tdvGP7B2rP8/HuwDJ3k9OzI9MSpzlVC2j5b11vxwafuoBxVDH+E
         yvMKawCmuFVOsH0UJLDMl7KpdhvB+RuKlI5QaIRI1f62Y3/bHY8+VBH+dzvSgry/16mS
         sA8OsDIwRjx3wuDwP2MjoT9djMOdoThLtP0vLcYRoe+0Nb0FTObW2JNX9dtr3sap3Qsh
         wkOqM+0Bb4lwdehyaWuYGU4l8/alXO1vapd9/7+hbxe9JAQ+neL6XbHsiMFvSDxhUxhn
         X9TQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1776873914; x=1777478714;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=LAsi8zUH7ChWQsvBus194I1lIQB9uLlb+xLBIearhJU=;
        b=m1cG+mz0hA8dHL3Yemko8EcQtEacAWneQUxumX/iRNwN33yct3Fht352Qf60/pFsde
         l78fZQJ3Sv0I2TLq2JVBBsVIHjYuNL1bYyw5R/UwcGTeq3+WDuj6+fRjN6b1KsuOr3WQ
         dxOtqjK/tlAtBdUUOyE5vsYKTfGojYmGexuZpqSnvBTeYd+7qP3mG/xtrVAX+zLXPEhw
         3FFeHvgsRQw+dRhjOfYlNPi8OMoriaXT1qBF+Q1XNBkXudveNJH6qTT05GfMV6n8j2RJ
         ya3L6+dI1ym8G0kATKVfDbLT0nxZtlEv8qB6iAi0v5tiVfKmgck2C0LFgSxLI1mfJdX2
         AQuQ==
X-Forwarded-Encrypted: i=1; AFNElJ+o95AR8ufKakWHSHlYthJwShvsTb0Eb46tFDqC62dPwQuHHUZEm1dZPaJd3d60BF1dgQ3wurcktJE4KVw=@vger.kernel.org
X-Gm-Message-State: AOJu0Ywi37FwhVWLTha+0OojNwAiXRkvEEe1s4HGYhQtq1Gqjat4YMjw
	m+QDvi74LKzhV8akibsrdsgy4R7zvOHfltBqUOnD+wY902klqqrdu0BC
X-Gm-Gg: AeBDieuQzfiAzV2sYonBc9EG8GuI6QV2we1f6L3bRvD/XHG7FRtSqj2SfmMQAbTtQuA
	MZRDXJ4amnkcvpOLxNjtSMRT8PSE6Wy+M4c58qR58so3IoSxmy9g8DzGgAA1KrS32ax3ZenAHHf
	zcQP4X6B66AqWTVEAUqv+2rveLStwY1cJXrQDwIlCB/j00i8Pu5rQ1je/dhW8z/GEwrPHWB3yb0
	xguOemtqI4fQclFngwa8xSdEsYeW0JUJa5PP0ZZ24YGk35VDLpDspZEMTqrW8V4Asq4xE9cVseW
	P/lFWt+RJlkVyL6v7aKgniOMWJmplxwnkdFGrsX1u8sPMcXO7TH/MbWilkH6TXYXYu5Zs/tXj+U
	9EyuiwLH7Vf+9VMZl5TWAPQuxUJeC5B4bZJa7pG6Ure+YGVBSdZVokqSUs3X8PtcXp50QXP+ttC
	aezQs0YedRwr2vbQC0zYQ0Mop5mkRB3Q6Imhhg1bI//PTAP1wIREBeVr1d8MlZ3VoRfOoYU4sp+
	j6iTXcIfA6oTOWOCer0a7B80Wf2uaw=
X-Received: by 2002:a05:6214:400a:b0:8a0:846e:8850 with SMTP id 6a1803df08f44-8b028042ba3mr348401516d6.20.1776873913609;
        Wed, 22 Apr 2026 09:05:13 -0700 (PDT)
Received: from server0 (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54])
        by smtp.gmail.com with ESMTPSA id 6a1803df08f44-8b02ac462d9sm136370786d6.7.2026.04.22.09.05.12
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 22 Apr 2026 09:05:12 -0700 (PDT)
From: Michael Bommarito <michael.bommarito@gmail.com>
To: Samuel Mendoza-Jonas <sam@mendozajonas.com>,
	Paul Fertser <fercerpav@gmail.com>,
	netdev@vger.kernel.org
Cc: "David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>,
	Simon Horman <horms@kernel.org>,
	linux-kernel@vger.kernel.org,
	Michael Bommarito <michael.bommarito@gmail.com>,
	stable@vger.kernel.org
Subject: [PATCH net 6/6] net/ncsi: validate GP payload lengths before parsing
Date: Wed, 22 Apr 2026 12:03:42 -0400
Message-ID: <20260422160342.1975093-7-michael.bommarito@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260422160342.1975093-1-michael.bommarito@gmail.com>
References: <20260422160342.1975093-1-michael.bommarito@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

ncsi_rsp_handler_gp() now bounds MAC and VLAN counts to software
and GC-reported limits, but it still assumes the advertised GP
payload is large enough for the fixed fields plus the consumed
filter-table bytes. A short GP reply can still make parsing start
past the payload or walk beyond its tail.

Validate that the declared GP payload covers the fixed GP prefix,
the consumed MAC and VLAN entries, and the checksum before parsing
the filter tables.

Fixes: 062b3e1b6d4f ("net/ncsi: Refactor MAC, VLAN filters")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
---
 net/ncsi/ncsi-rsp.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c
index 94354dca23ea..565d38fd4b92 100644
--- a/net/ncsi/ncsi-rsp.c
+++ b/net/ncsi/ncsi-rsp.c
@@ -899,6 +899,8 @@ static int ncsi_rsp_handler_gp(struct ncsi_request *nr)
 	struct ncsi_dev_priv *ndp = nr->ndp;
 	struct ncsi_rsp_gp_pkt *rsp;
 	struct ncsi_channel *nc;
+	size_t needed;
+	unsigned int payload;
 	unsigned short enable;
 	unsigned char *pdata;
 	unsigned long flags;
@@ -924,6 +926,14 @@ static int ncsi_rsp_handler_gp(struct ncsi_request *nr)
 	if (rsp->mac_cnt > mac_nbits || rsp->vlan_cnt > ncvf->n_vids)
 		return -ERANGE;
 
+	payload = ncsi_rsp_payload(nr->rsp);
+	needed = offsetof(struct ncsi_rsp_gp_pkt, mac) - sizeof(rsp->rsp);
+	needed += mac_cnt * ETH_ALEN;
+	needed += vlan_cnt * sizeof(__be16);
+	needed += sizeof(rsp->checksum);
+	if (payload < needed)
+		return -EINVAL;
+
 	/* Modes with explicit enabled indications */
 	if (ntohl(rsp->valid_modes) & 0x1) {	/* BC filter mode */
 		nc->modes[NCSI_MODE_BC].enable = 1;
-- 
2.53.0