Hi,
The AI review reported a possible issue that looks valid to me.
Reporting the feedback manually because I think only one to the AI
remarks is valid, see below.
On 2/2/26 6:05 PM, Daniel Jurgens wrote:
> +static bool validate_eth_mask(const struct virtnet_ff *ff,
> + const struct virtio_net_ff_selector *sel,
> + const struct virtio_net_ff_selector *sel_cap)
> +{
> + bool partial_mask = !!(sel_cap->flags &
> VIRTIO_NET_FF_MASK_F_PARTIAL_MASK);
> + struct ethhdr *cap, *mask;
> + struct ethhdr zeros = {};
> +
> + cap = (struct ethhdr *)&sel_cap->mask;
> + mask = (struct ethhdr *)&sel->mask;
This function casts sel_cap->mask to struct ethhdr * and accesses fields
at offsets 0, 6, and 12. Shouldn't there be validation that
sel_cap->length is at least sizeof(struct ethhdr) = 14 bytes?
Looking at virtnet_ff_init() at line 6291, it only checks that
sel->length <= MAX_SEL_LEN (40 bytes) but doesn't enforce a minimum
length for the ETH selector type. If a device provides an ETH selector
capability with length < 14 bytes, won't validate_eth_mask() read beyond
the allocated mask array?
---
Note that the AI review additionally reported a possible leak on xarray,
but I think it got confused possibly because it run out of token and
mixed-up the patch context.
/P
