Skip to content

Commit 59895f5

Browse files
Michael Chandavem330
Michael Chan
authored and
davem330
committed
bnxt_en: Check the lengths of encapsulated firmware responses.
Firmware messages that are forwarded from PF to VFs are encapsulated. The size of these encapsulated messages must not exceed the maximum defined message size. Add appropriate checks to avoid oversize messages. Firmware messages may be expanded in future specs and this will provide some guardrails to avoid data corruption. Signed-off-by: Michael Chan <michael.chan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent d31cd57 commit 59895f5

File tree

2 files changed

+21
-0
lines changed

2 files changed

+21
-0
lines changed

drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -809,6 +809,9 @@ static int bnxt_hwrm_fwd_resp(struct bnxt *bp, struct bnxt_vf_info *vf,
809809
struct hwrm_fwd_resp_input req = {0};
810810
struct hwrm_fwd_resp_output *resp = bp->hwrm_cmd_resp_addr;
811811

812+
if (BNXT_FWD_RESP_SIZE_ERR(msg_size))
813+
return -EINVAL;
814+
812815
bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_FWD_RESP, -1, -1);
813816

814817
/* Set the new target id */
@@ -845,6 +848,9 @@ static int bnxt_hwrm_fwd_err_resp(struct bnxt *bp, struct bnxt_vf_info *vf,
845848
struct hwrm_reject_fwd_resp_input req = {0};
846849
struct hwrm_reject_fwd_resp_output *resp = bp->hwrm_cmd_resp_addr;
847850

851+
if (BNXT_REJ_FWD_RESP_SIZE_ERR(msg_size))
852+
return -EINVAL;
853+
848854
bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_REJECT_FWD_RESP, -1, -1);
849855
/* Set the new target id */
850856
req.target_id = cpu_to_le16(vf->fw_fid);
@@ -877,6 +883,9 @@ static int bnxt_hwrm_exec_fwd_resp(struct bnxt *bp, struct bnxt_vf_info *vf,
877883
struct hwrm_exec_fwd_resp_input req = {0};
878884
struct hwrm_exec_fwd_resp_output *resp = bp->hwrm_cmd_resp_addr;
879885

886+
if (BNXT_EXEC_FWD_RESP_SIZE_ERR(msg_size))
887+
return -EINVAL;
888+
880889
bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_EXEC_FWD_RESP, -1, -1);
881890
/* Set the new target id */
882891
req.target_id = cpu_to_le16(vf->fw_fid);

drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.h

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,18 @@
1111
#ifndef BNXT_SRIOV_H
1212
#define BNXT_SRIOV_H
1313

14+
#define BNXT_FWD_RESP_SIZE_ERR(n) \
15+
((offsetof(struct hwrm_fwd_resp_input, encap_resp) + n) > \
16+
sizeof(struct hwrm_fwd_resp_input))
17+
18+
#define BNXT_EXEC_FWD_RESP_SIZE_ERR(n) \
19+
((offsetof(struct hwrm_exec_fwd_resp_input, encap_request) + n) >\
20+
offsetof(struct hwrm_exec_fwd_resp_input, encap_resp_target_id))
21+
22+
#define BNXT_REJ_FWD_RESP_SIZE_ERR(n) \
23+
((offsetof(struct hwrm_reject_fwd_resp_input, encap_request) + n) >\
24+
offsetof(struct hwrm_reject_fwd_resp_input, encap_resp_target_id))
25+
1426
int bnxt_get_vf_config(struct net_device *, int, struct ifla_vf_info *);
1527
int bnxt_set_vf_mac(struct net_device *, int, u8 *);
1628
int bnxt_set_vf_vlan(struct net_device *, int, u16, u8, __be16);

0 commit comments

Comments
 (0)