From ecd89c02da85f724a2d24bc5a7e28043cc24b5d7 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Tue, 29 Jun 2021 11:25:13 +0300 Subject: gve: DQO: Fix off by one in gve_rx_dqo() The rx->dqo.buf_states[] array is allocated in gve_rx_alloc_ring_dqo() and it has rx->dqo.num_buf_states so this > needs to >= to prevent an out of bounds access. Fixes: 9b8dd5e5ea48 ("gve: DQO: Add RX path") Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller --- drivers/net/ethernet/google/gve/gve_rx_dqo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/ethernet/google/gve/gve_rx_dqo.c b/drivers/net/ethernet/google/gve/gve_rx_dqo.c index 8738db020061..77bb8227f89b 100644 --- a/drivers/net/ethernet/google/gve/gve_rx_dqo.c +++ b/drivers/net/ethernet/google/gve/gve_rx_dqo.c @@ -525,7 +525,7 @@ static int gve_rx_dqo(struct napi_struct *napi, struct gve_rx_ring *rx, struct gve_priv *priv = rx->gve; u16 buf_len; - if (unlikely(buffer_id > rx->dqo.num_buf_states)) { + if (unlikely(buffer_id >= rx->dqo.num_buf_states)) { net_err_ratelimited("%s: Invalid RX buffer_id=%u\n", priv->dev->name, buffer_id); return -EINVAL; -- cgit v1.2.3