The IPv4 parsing helper used by pktgen and pktchkr reads each octet
with "%u". This allows values above 255 to be accepted from the
configuration file and encoded into unintended device register values.
Reject parsed octets outside the IPv4 byte range before assembling
the 32-bit address.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 9c7188a68d7b ("net/ark: provide API for hardware modules pktchkr and
pktgen")
Signed-off-by: Denis Sergeev <[email protected]>
---
drivers/net/ark/ark_pktchkr.c | 2 ++
drivers/net/ark/ark_pktgen.c | 2 ++
2 files changed, 4 insertions(+)
diff --git a/drivers/net/ark/ark_pktchkr.c b/drivers/net/ark/ark_pktchkr.c
index e1f336c73c..76e6f42659 100644
--- a/drivers/net/ark/ark_pktchkr.c
+++ b/drivers/net/ark/ark_pktchkr.c
@@ -379,6 +379,8 @@ parse_ipv4_string(char const *ip_address)
if (sscanf(ip_address, "%u.%u.%u.%u",
&ip[0], &ip[1], &ip[2], &ip[3]) != 4)
return 0;
+ if (ip[0] > 255 || ip[1] > 255 || ip[2] > 255 || ip[3] > 255)
+ return 0;
return ip[3] + ip[2] * 0x100 + ip[1] * 0x10000ul + ip[0] * 0x1000000ul;
}
diff --git a/drivers/net/ark/ark_pktgen.c b/drivers/net/ark/ark_pktgen.c
index 69ff7072b2..0b7246c374 100644
--- a/drivers/net/ark/ark_pktgen.c
+++ b/drivers/net/ark/ark_pktgen.c
@@ -360,6 +360,8 @@ parse_ipv4_string(char const *ip_address)
if (sscanf(ip_address, "%u.%u.%u.%u",
&ip[0], &ip[1], &ip[2], &ip[3]) != 4)
return 0;
+ if (ip[0] > 255 || ip[1] > 255 || ip[2] > 255 || ip[3] > 255)
+ return 0;
return ip[3] + ip[2] * 0x100 + ip[1] * 0x10000ul + ip[0] * 0x1000000ul;
}
--
2.50.1
