On Tue, Feb 25, 2025 at 10:08:49AM +0100, Martyna Szapar-Mudlaw wrote: > From: Mateusz Polchlopek <[email protected]> > > Fix using the untrusted value of proto->raw.pkt_len in function > ice_vc_fdir_parse_raw() by verifying if it does not exceed the > VIRTCHNL_MAX_SIZE_RAW_PACKET value. > > Fixes: 99f419df8a5c ("ice: enable FDIR filters from raw binary patterns for > VFs") > Signed-off-by: Mateusz Polchlopek <[email protected]> > Signed-off-by: Martyna Szapar-Mudlaw <[email protected]> > --- > .../ethernet/intel/ice/ice_virtchnl_fdir.c | 25 +++++++++++++------ > 1 file changed, 17 insertions(+), 8 deletions(-) > > diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c > b/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c > index 14e3f0f89c78..6250629ee8f9 100644 > --- a/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c > +++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c > @@ -835,18 +835,27 @@ ice_vc_fdir_parse_raw(struct ice_vf *vf, > u8 *pkt_buf, *msk_buf __free(kfree); > struct ice_parser_result rslt; > struct ice_pf *pf = vf->pf; > + u16 pkt_len, udp_port = 0; > struct ice_parser *psr; > int status = -ENOMEM; > struct ice_hw *hw; > - u16 udp_port = 0; > > - pkt_buf = kzalloc(proto->raw.pkt_len, GFP_KERNEL); > - msk_buf = kzalloc(proto->raw.pkt_len, GFP_KERNEL); > + if (!proto->raw.pkt_len) > + return -EINVAL; > + > + pkt_len = proto->raw.pkt_len;
Hi Martyna, A check is made for !proto->raw.pkt_len above. And a check is made for !pkt_len below. This seems redundant. > + > + if (!pkt_len || pkt_len > VIRTCHNL_MAX_SIZE_RAW_PACKET) > + return -EINVAL; ...
