From: Michael Chan <michael.chan@broadcom.com>
To: davem@davemloft.net
Cc: netdev@vger.kernel.org
Subject: [PATCH net-next v2 03/14] bnxt_en: Check the lengths of encapsulated firmware responses.
Date: Thu, 26 Apr 2018 17:44:33 -0400 [thread overview]
Message-ID: <1524779084-4016-4-git-send-email-michael.chan@broadcom.com> (raw)
In-Reply-To: <1524779084-4016-1-git-send-email-michael.chan@broadcom.com>
Firmware messages that are forwarded from PF to VFs are encapsulated.
The size of these encapsulated messages must not exceed the maximum
defined message size. Add appropriate checks to avoid oversize
messages. Firmware messages may be expanded in future specs and
this will provide some guardrails to avoid data corruption.
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
---
drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c | 9 +++++++++
drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.h | 12 ++++++++++++
2 files changed, 21 insertions(+)
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c
index f952963..18ee471 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c
@@ -809,6 +809,9 @@ static int bnxt_hwrm_fwd_resp(struct bnxt *bp, struct bnxt_vf_info *vf,
struct hwrm_fwd_resp_input req = {0};
struct hwrm_fwd_resp_output *resp = bp->hwrm_cmd_resp_addr;
+ if (BNXT_FWD_RESP_SIZE_ERR(msg_size))
+ return -EINVAL;
+
bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_FWD_RESP, -1, -1);
/* Set the new target id */
@@ -845,6 +848,9 @@ static int bnxt_hwrm_fwd_err_resp(struct bnxt *bp, struct bnxt_vf_info *vf,
struct hwrm_reject_fwd_resp_input req = {0};
struct hwrm_reject_fwd_resp_output *resp = bp->hwrm_cmd_resp_addr;
+ if (BNXT_REJ_FWD_RESP_SIZE_ERR(msg_size))
+ return -EINVAL;
+
bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_REJECT_FWD_RESP, -1, -1);
/* Set the new target id */
req.target_id = cpu_to_le16(vf->fw_fid);
@@ -877,6 +883,9 @@ static int bnxt_hwrm_exec_fwd_resp(struct bnxt *bp, struct bnxt_vf_info *vf,
struct hwrm_exec_fwd_resp_input req = {0};
struct hwrm_exec_fwd_resp_output *resp = bp->hwrm_cmd_resp_addr;
+ if (BNXT_EXEC_FWD_RESP_SIZE_ERR(msg_size))
+ return -EINVAL;
+
bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_EXEC_FWD_RESP, -1, -1);
/* Set the new target id */
req.target_id = cpu_to_le16(vf->fw_fid);
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.h b/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.h
index d10f6f6..6f6d850 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.h
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.h
@@ -11,6 +11,18 @@
#ifndef BNXT_SRIOV_H
#define BNXT_SRIOV_H
+#define BNXT_FWD_RESP_SIZE_ERR(n) \
+ ((offsetof(struct hwrm_fwd_resp_input, encap_resp) + n) > \
+ sizeof(struct hwrm_fwd_resp_input))
+
+#define BNXT_EXEC_FWD_RESP_SIZE_ERR(n) \
+ ((offsetof(struct hwrm_exec_fwd_resp_input, encap_request) + n) >\
+ offsetof(struct hwrm_exec_fwd_resp_input, encap_resp_target_id))
+
+#define BNXT_REJ_FWD_RESP_SIZE_ERR(n) \
+ ((offsetof(struct hwrm_reject_fwd_resp_input, encap_request) + n) >\
+ offsetof(struct hwrm_reject_fwd_resp_input, encap_resp_target_id))
+
int bnxt_get_vf_config(struct net_device *, int, struct ifla_vf_info *);
int bnxt_set_vf_mac(struct net_device *, int, u8 *);
int bnxt_set_vf_vlan(struct net_device *, int, u16, u8, __be16);
--
1.8.3.1
next prev parent reply other threads:[~2018-04-26 21:44 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-26 21:44 [PATCH net-next v2 00/14] bnxt_en: Net-next updates Michael Chan
2018-04-26 21:44 ` [PATCH net-next v2 01/14] bnxt_en: Add TC to hardware QoS queue mapping logic Michael Chan
2018-04-26 21:44 ` [PATCH net-next v2 02/14] bnxt_en: Remap TC to hardware queues when configuring PFC Michael Chan
2018-04-26 21:44 ` Michael Chan [this message]
2018-04-26 21:44 ` [PATCH net-next v2 04/14] bnxt_en: Do not set firmware time from VF driver on older firmware Michael Chan
2018-04-26 21:44 ` [PATCH net-next v2 05/14] bnxt_en: Simplify ring alloc/free error messages Michael Chan
2018-04-26 21:44 ` [PATCH net-next v2 06/14] bnxt_en: Display function level rx/tx_discard_pkts via ethtool Michael Chan
2018-04-26 21:44 ` [PATCH net-next v2 07/14] bnxt_en: Do not allow VF to read EEPROM Michael Chan
2018-04-26 21:44 ` [PATCH net-next v2 08/14] bnxt_en: Increase RING_IDLE minimum threshold to 50 Michael Chan
2018-04-26 21:44 ` [PATCH net-next v2 09/14] bnxt_en: reduce timeout on initial HWRM calls Michael Chan
2018-04-26 21:44 ` [PATCH net-next v2 10/14] bnxt_en: add debugfs support for DIM Michael Chan
2018-04-26 21:44 ` [PATCH net-next v2 11/14] bnxt_en: Reserve rings in bnxt_set_channels() if device is down Michael Chan
2018-04-26 21:44 ` [PATCH net-next v2 12/14] bnxt_en: Don't reserve rings on VF when min rings were not provisioned by PF Michael Chan
2018-04-26 21:44 ` [PATCH net-next v2 13/14] bnxt_en: Reserve RSS and L2 contexts for VF Michael Chan
2018-04-26 21:44 ` [PATCH net-next v2 14/14] bnxt_en: Reserve rings at driver open if none was reserved at probe time Michael Chan
2018-04-27 18:53 ` [PATCH net-next v2 00/14] bnxt_en: Net-next updates David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1524779084-4016-4-git-send-email-michael.chan@broadcom.com \
--to=michael.chan@broadcom.com \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).