Received: by 10.213.65.68 with SMTP id h4csp963372imn; Thu, 22 Mar 2018 12:15:42 -0700 (PDT) X-Google-Smtp-Source: AG47ELsIU/TiPo1uZUSic38bhOgDd4w8x4lg/LWI31eU0cz15ngLuhhKZuMXZfWQSKAyWXprBf6r X-Received: by 10.99.123.78 with SMTP id k14mr16478608pgn.67.1521746142431; Thu, 22 Mar 2018 12:15:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521746142; cv=none; d=google.com; s=arc-20160816; b=X+MUAF2dJBDDOutNkZniqBn64LDn3AZzLPB6Qzh7mhMYkSPC26ck7wjj8wSBeNiPXc y1cKBl2ENRHb+c5Lrz3q1fop472iJtnugAIKEt2QdQgEeJthaygpTpYCTCI7QYRXXD9P JVMa0gMm2IEht1zyxjgpPGEYOBonFrEfz03Wwqy0Mrh2l/vGkCrBHDJZHufTDZhEL3Fe /LXovSLcaO15baXChbnB8Z63yRr6dy2opjWsIstHjzUT0zQH0KyI62xJg6E4l2eDExVW gjH6odeQD0lb19WrOZJ3Mk97CoIuAQmnW2P15EsVcxVWPAIYBSfXNxtgkQp4raQyPlsI z0qQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:reply-to:references:in-reply-to :message-id:date:subject:cc:to:from:arc-authentication-results; bh=1AMFkPQ/aRybY31xTRyNiAz4hCMIDuRpPbH0kgPm6MI=; b=EtUetfwo+lxsN5Ageg321i8tf1ePQBpoYlZ5jEKBoWizMxWtmnz+kyjYr85vNAk9QC liCBg1+fr1Iu8sk6f69ikGjlYvjBb5/cRtI3QKSOLWYULgW6Ux0zOupKjBhjUib2J5x3 t1Dc9P/KcvKdkWFcTpzut+c43WMxumWU3bwulnwokIbzyI2wZvqqo6d4aXfIZWYG+iAW hscOM8zk2LsuB8onGCzLYub54Ka6EIlmeIolIuM9lB1qhlQLzlGlfm0s4J3mp6TkgP8J QOeahEPmc8OMbxFw36YVOhkKrNyj52vef/5YmUphMLF4q6ebPuyYRlWTgpzYLOaYXoho qD3w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u3-v6si7013802plb.593.2018.03.22.12.15.27; Thu, 22 Mar 2018 12:15:42 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752106AbeCVTOB (ORCPT + 99 others); Thu, 22 Mar 2018 15:14:01 -0400 Received: from a2nlsmtp01-03.prod.iad2.secureserver.net ([198.71.225.37]:50920 "EHLO a2nlsmtp01-03.prod.iad2.secureserver.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751985AbeCVTN7 (ORCPT ); Thu, 22 Mar 2018 15:13:59 -0400 Received: from linuxonhyperv2.linuxonhyperv.com ([107.180.71.197]) by : HOSTING RELAY : with SMTP id z5T5eD1TBTrNgz5T5evzxB; Thu, 22 Mar 2018 12:01:43 -0700 x-originating-ip: 107.180.71.197 Received: from haiyangz by linuxonhyperv2.linuxonhyperv.com with local (Exim 4.89_1) (envelope-from ) id 1ez5T5-0006gW-0s; Thu, 22 Mar 2018 12:01:43 -0700 From: Haiyang Zhang To: davem@davemloft.net, netdev@vger.kernel.org Cc: haiyangz@microsoft.com, kys@microsoft.com, sthemmin@microsoft.com, olaf@aepfle.de, vkuznets@redhat.com, devel@linuxdriverproject.org, linux-kernel@vger.kernel.org Subject: [PATCH net-next,2/2] hv_netvsc: Add range checking for rx packet offset and length Date: Thu, 22 Mar 2018 12:01:14 -0700 Message-Id: <20180322190114.25596-3-haiyangz@linuxonhyperv.com> X-Mailer: git-send-email 2.15.1 In-Reply-To: <20180322190114.25596-1-haiyangz@linuxonhyperv.com> References: <20180322190114.25596-1-haiyangz@linuxonhyperv.com> Reply-To: haiyangz@microsoft.com X-CMAE-Envelope: MS4wfHbe4/74bfcMPSeVBqtFrtu6hFraVOnLlQDtrO+Lx2eWE6wh3E/+zkHarjj7xWlxgTXw56Y9QQcNmWWhsWIAV18i1F5LNsKi9ckoPCMGCubTAZixOx9v CFsOcRK9S9IEJYg45aFCr3JYw54vXd/D9YGlnKWYZnIgo+/eZDh5x+S5Ti3mWSlJXAFLrGMpu97Tptdknjnozn/+3ZwehCFXZ989O73BLk7T3bh5/vpmlhnf GWddrkHHW+W82GX43dRTpaC5btrQx9cCgQr54Pb1uABD/KCUK1JkhNCnXSEcCA9c22CNFjJSqjUaGJ8Gwdszth7VAcvLp7O+p0eXVdGUfQMP40LAvnB9vsyP nyIv4b7TgcD5GN0QiAAEYdw0L5zmI+3s8x4jNAIE6Hi0uc2EDWAcG4JCNP9gZ8tjdbl8QehfD5UfhShWqQVFwKc4+YOUy/oDKvKwbzJ3LshOTMiUK+wn+ET1 GMjjU7pR9Kkucw+m9fVlkOacxlRpXU7gSOQIdQ== Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Haiyang Zhang This patch adds range checking for rx packet offset and length. It may only happen if there is a host side bug. Signed-off-by: Haiyang Zhang --- drivers/net/hyperv/hyperv_net.h | 1 + drivers/net/hyperv/netvsc.c | 17 +++++++++++++++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/drivers/net/hyperv/hyperv_net.h b/drivers/net/hyperv/hyperv_net.h index 0db3bd1ea06f..49c05ac894e5 100644 --- a/drivers/net/hyperv/hyperv_net.h +++ b/drivers/net/hyperv/hyperv_net.h @@ -793,6 +793,7 @@ struct netvsc_device { /* Receive buffer allocated by us but manages by NetVSP */ void *recv_buf; + u32 recv_buf_size; /* allocated bytes */ u32 recv_buf_gpadl_handle; u32 recv_section_cnt; u32 recv_section_size; diff --git a/drivers/net/hyperv/netvsc.c b/drivers/net/hyperv/netvsc.c index 1ddb2c39b6e4..a6700d65f206 100644 --- a/drivers/net/hyperv/netvsc.c +++ b/drivers/net/hyperv/netvsc.c @@ -289,6 +289,8 @@ static int netvsc_init_buf(struct hv_device *device, goto cleanup; } + net_device->recv_buf_size = buf_size; + /* * Establish the gpadl handle for this buffer on this * channel. Note: This call uses the vmbus connection rather @@ -1095,11 +1097,22 @@ static int netvsc_receive(struct net_device *ndev, /* Each range represents 1 RNDIS pkt that contains 1 ethernet frame */ for (i = 0; i < count; i++) { - void *data = recv_buf - + vmxferpage_packet->ranges[i].byte_offset; + u32 offset = vmxferpage_packet->ranges[i].byte_offset; u32 buflen = vmxferpage_packet->ranges[i].byte_count; + void *data; int ret; + if (unlikely(offset + buflen > net_device->recv_buf_size)) { + status = NVSP_STAT_FAIL; + netif_err(net_device_ctx, rx_err, ndev, + "Packet offset:%u + len:%u too big\n", + offset, buflen); + + continue; + } + + data = recv_buf + offset; + trace_rndis_recv(ndev, q_idx, data); /* Pass it to the upper layer */ -- 2.15.1