Message ID | e086a3597a33e16bcc57b97f81dcb2aa3ce48e31.1599739681.git.petrm@nvidia.com |
---|---|
State | Accepted |
Delegated to: | David Miller |
Headers | show |
Series | [net] net: DCB: Validate DCB_ATTR_DCB_BUFFER argument | expand |
From: Petr Machata <petrm@nvidia.com> Date: Thu, 10 Sep 2020 14:09:05 +0200 > The parameter passed via DCB_ATTR_DCB_BUFFER is a struct dcbnl_buffer. The > field prio2buffer is an array of IEEE_8021Q_MAX_PRIORITIES bytes, where > each value is a number of a buffer to direct that priority's traffic to. > That value is however never validated to lie within the bounds set by > DCBX_MAX_BUFFERS. The only driver that currently implements the callback is > mlx5 (maintainers CCd), and that does not do any validation either, in > particual allowing incorrect configuration if the prio2buffer value does > not fit into 4 bits. > > Instead of offloading the need to validate the buffer index to drivers, do > it right there in core, and bounce the request if the value is too large. > > CC: Parav Pandit <parav@nvidia.com> > CC: Saeed Mahameed <saeedm@nvidia.com> > Fixes: e549f6f9c098 ("net/dcb: Add dcbnl buffer attribute") > Signed-off-by: Petr Machata <petrm@nvidia.com> > Reviewed-by: Ido Schimmel <idosch@nvidia.com> > Reviewed-by: Jiri Pirko <jiri@nvidia.com> Applied and queued up for -stable, thank you.
diff --git a/net/dcb/dcbnl.c b/net/dcb/dcbnl.c index 84dde5a2066e..16014ad19406 100644 --- a/net/dcb/dcbnl.c +++ b/net/dcb/dcbnl.c @@ -1426,6 +1426,7 @@ static int dcbnl_ieee_set(struct net_device *netdev, struct nlmsghdr *nlh, { const struct dcbnl_rtnl_ops *ops = netdev->dcbnl_ops; struct nlattr *ieee[DCB_ATTR_IEEE_MAX + 1]; + int prio; int err; if (!ops) @@ -1475,6 +1476,13 @@ static int dcbnl_ieee_set(struct net_device *netdev, struct nlmsghdr *nlh, struct dcbnl_buffer *buffer = nla_data(ieee[DCB_ATTR_DCB_BUFFER]); + for (prio = 0; prio < ARRAY_SIZE(buffer->prio2buffer); prio++) { + if (buffer->prio2buffer[prio] >= DCBX_MAX_BUFFERS) { + err = -EINVAL; + goto err; + } + } + err = ops->dcbnl_setbuffer(netdev, buffer); if (err) goto err;