| From 09d5a57aca872e24f4d2710c465a3fa90d66f173 Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Wed, 17 Nov 2021 11:44:53 +0800 |
| Subject: ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array |
| overflow in hns_dsaf_ge_srst_by_port() |
| |
| From: Teng Qi <starmiku1207184332@gmail.com> |
| |
| [ Upstream commit a66998e0fbf213d47d02813b9679426129d0d114 ] |
| |
| The if statement: |
| if (port >= DSAF_GE_NUM) |
| return; |
| |
| limits the value of port less than DSAF_GE_NUM (i.e., 8). |
| However, if the value of port is 6 or 7, an array overflow could occur: |
| port_rst_off = dsaf_dev->mac_cb[port]->port_rst_off; |
| |
| because the length of dsaf_dev->mac_cb is DSAF_MAX_PORT_NUM (i.e., 6). |
| |
| To fix this possible array overflow, we first check port and if it is |
| greater than or equal to DSAF_MAX_PORT_NUM, the function returns. |
| |
| Reported-by: TOTE Robot <oslab@tsinghua.edu.cn> |
| Signed-off-by: Teng Qi <starmiku1207184332@gmail.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c | 4 ++++ |
| 1 file changed, 4 insertions(+) |
| |
| diff --git a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c |
| index a9aca8c24e90d..aa87e4d121532 100644 |
| --- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c |
| +++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c |
| @@ -400,6 +400,10 @@ static void hns_dsaf_ge_srst_by_port(struct dsaf_device *dsaf_dev, u32 port, |
| return; |
| |
| if (!HNS_DSAF_IS_DEBUG(dsaf_dev)) { |
| + /* DSAF_MAX_PORT_NUM is 6, but DSAF_GE_NUM is 8. |
| + We need check to prevent array overflow */ |
| + if (port >= DSAF_MAX_PORT_NUM) |
| + return; |
| reg_val_1 = 0x1 << port; |
| port_rst_off = dsaf_dev->mac_cb[port]->port_rst_off; |
| /* there is difference between V1 and V2 in register.*/ |
| -- |
| 2.33.0 |
| |