diff options
author | Haiyang Zhang <haiyangz@microsoft.com> | 2018-03-22 22:01:14 +0300 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2018-03-26 00:07:40 +0300 |
commit | c5d24bdd29cc6373331967b5034da21c12805f72 (patch) | |
tree | 1c402d73da8ca21c4b2ebc2f6f99fe2f98baeca6 | |
parent | 5c71dadbb45970a8f0544a27ae8f1cbd9750e516 (diff) | |
download | linux-c5d24bdd29cc6373331967b5034da21c12805f72.tar.xz |
hv_netvsc: Add range checking for rx packet offset and length
This patch adds range checking for rx packet offset and length.
It may only happen if there is a host side bug.
Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | drivers/net/hyperv/hyperv_net.h | 1 | ||||
-rw-r--r-- | drivers/net/hyperv/netvsc.c | 17 |
2 files changed, 16 insertions, 2 deletions
diff --git a/drivers/net/hyperv/hyperv_net.h b/drivers/net/hyperv/hyperv_net.h index 32861036c3fc..960f06141472 100644 --- a/drivers/net/hyperv/hyperv_net.h +++ b/drivers/net/hyperv/hyperv_net.h @@ -793,6 +793,7 @@ struct netvsc_device { /* Receive buffer allocated by us but manages by NetVSP */ void *recv_buf; + u32 recv_buf_size; /* allocated bytes */ u32 recv_buf_gpadl_handle; u32 recv_section_cnt; u32 recv_section_size; diff --git a/drivers/net/hyperv/netvsc.c b/drivers/net/hyperv/netvsc.c index 58bb2dcbc9f0..c9910c33e671 100644 --- a/drivers/net/hyperv/netvsc.c +++ b/drivers/net/hyperv/netvsc.c @@ -282,6 +282,8 @@ static int netvsc_init_buf(struct hv_device *device, goto cleanup; } + net_device->recv_buf_size = buf_size; + /* * Establish the gpadl handle for this buffer on this * channel. Note: This call uses the vmbus connection rather @@ -1095,11 +1097,22 @@ static int netvsc_receive(struct net_device *ndev, /* Each range represents 1 RNDIS pkt that contains 1 ethernet frame */ for (i = 0; i < count; i++) { - void *data = recv_buf - + vmxferpage_packet->ranges[i].byte_offset; + u32 offset = vmxferpage_packet->ranges[i].byte_offset; u32 buflen = vmxferpage_packet->ranges[i].byte_count; + void *data; int ret; + if (unlikely(offset + buflen > net_device->recv_buf_size)) { + status = NVSP_STAT_FAIL; + netif_err(net_device_ctx, rx_err, ndev, + "Packet offset:%u + len:%u too big\n", + offset, buflen); + + continue; + } + + data = recv_buf + offset; + trace_rndis_recv(ndev, q_idx, data); /* Pass it to the upper layer */ |