diff options
| author | Danielle Ratson <danieller@nvidia.com> | 2021-05-17 20:03:57 +0300 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2021-05-18 01:15:46 +0300 |
| commit | 837ec05cfea08284c575e8e834777b107da5ff9d (patch) | |
| tree | dd4cf1ed79684b1aa8a76f43e9dcca92a56dc08e /drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c | |
| parent | ece5df874d3a80fcade92ca3b3877bd78dbb6116 (diff) | |
| download | linux-837ec05cfea08284c575e8e834777b107da5ff9d.tar.xz | |
mlxsw: Verify the accessed index doesn't exceed the array length
There are few cases in which an array index queried from a fw register,
is accessed without any validation that it doesn't exceed the array
length.
Add a proper length validation, so accessing memory past the end of an
array will be forbidden.
Signed-off-by: Danielle Ratson <danieller@nvidia.com>
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c')
| -rw-r--r-- | drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c index 41259c0004d1..99015dca86c9 100644 --- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c +++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c @@ -2282,6 +2282,7 @@ static void mlxsw_sp_router_neigh_ent_ipv4_process(struct mlxsw_sp *mlxsw_sp, char *rauhtd_pl, int ent_index) { + u64 max_rifs = MLXSW_CORE_RES_GET(mlxsw_sp->core, MAX_RIFS); struct net_device *dev; struct neighbour *n; __be32 dipn; @@ -2290,6 +2291,8 @@ static void mlxsw_sp_router_neigh_ent_ipv4_process(struct mlxsw_sp *mlxsw_sp, mlxsw_reg_rauhtd_ent_ipv4_unpack(rauhtd_pl, ent_index, &rif, &dip); + if (WARN_ON_ONCE(rif >= max_rifs)) + return; if (!mlxsw_sp->router->rifs[rif]) { dev_err_ratelimited(mlxsw_sp->bus_info->dev, "Incorrect RIF in neighbour entry\n"); return; |