Received: by 2002:a05:6358:701b:b0:131:369:b2a3 with SMTP id 27csp1861029rwo;
        Sun, 23 Jul 2023 02:11:49 -0700 (PDT)
X-Google-Smtp-Source: APBJJlF5BUIf3hUZARGcKntdJQk8RyQangbjfo6Her00xhCuIqY1Hly/gTX0t4cSw6WFr+80hPem
X-Received: by 2002:a17:906:101a:b0:982:21a1:c4e0 with SMTP id 26-20020a170906101a00b0098221a1c4e0mr7153369ejm.56.1690103509348;
        Sun, 23 Jul 2023 02:11:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1690103509; cv=none;
        d=google.com; s=arc-20160816;
        b=YbVlhp7JH17CX/oDVR97ocuvq4kOtjj7ujOYn08f0al+nw8ZjuWplHNnnzX2U3BtB7
         bzAto8bK0Q+SInyYDQ3Gi187l7TV+d1P7SlNsZXtrX0GgM0GV9KBYu+UX3fSCKFR9bq6
         08QbmDAYHyqF3Ofq+ZOCjOT8ZY4b658WjTgKDRpby3+hNZPS8z40w+pzFf3LELjh4h35
         foO1EkOY9eHAydQOddNEZGE2M+ujMzryWid0Di6mW7BBuieHq2MIMAUj2b/n52Af7xEp
         KoH8MwPUNUO16ytq9ApFULDcx7d3yM60l7IyrvZDprMctT36VV6fEuw7f/yBY48sDeRM
         Mb1w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:message-id:date:subject:cc:to:from;
        bh=dtIyuHT9VTD1PeRO1EkjsqzO7Jyn+0Q9aRZCduwfYeQ=;
        fh=xvhTkoa+xb9qEoFskSwISa6TdLoYVIrLKWyOOPheDus=;
        b=EUpLblQ045TYFpip34vgus7VgieQ5isBxv+P4qPBTTkuaycq/qmnlhYDUeCsBoyfqw
         DsYNl8NPzB2OWlUgSrSJkAe1MEQZtXSyvasgvVOpcOctxZ8DJ7phjexkVy0WtP5KyZZb
         pwJ/nhGx/reXbKlmEl2t6rlQxOG4gH/1S5iz2cQT1VBbxvU4Z0Jif1fCiowyMh4As1Nq
         cspgjzH2uRZNHlFyu9AMrwUirNjyKww+gs6YgkbpdLrpd65nKnip0o3tTeNsHorlUMDA
         OHpPt8MnmhBIa+6/BeLRGSAypTWaTzvZ25XPAB965u+noDb5ImfAg/eTm+CCMkcMAzha
         fSIQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id j8-20020a170906830800b009591dd6c71esi4954454ejx.896.2023.07.23.02.11.24;
        Sun, 23 Jul 2023 02:11:49 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229771AbjGWHxP (ORCPT <rfc822;andreas.noever@gmail.com>
        + 99 others); Sun, 23 Jul 2023 03:53:15 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47946 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229468AbjGWHxO (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 23 Jul 2023 03:53:14 -0400
Received: from zg8tmja2lje4os4yms4ymjma.icoremail.net (zg8tmja2lje4os4yms4ymjma.icoremail.net [206.189.21.223])
        by lindbergh.monkeyblade.net (Postfix) with ESMTP id 87F02191
        for <linux-kernel@vger.kernel.org>; Sun, 23 Jul 2023 00:53:12 -0700 (PDT)
Received: from localhost.localdomain (unknown [39.174.92.167])
        by mail-app3 (Coremail) with SMTP id cC_KCgA3P79J3LxkwFN_Cw--.18699S4;
        Sun, 23 Jul 2023 15:52:41 +0800 (CST)
From:   Lin Ma <linma@zju.edu.cn>
To:     jesse.brandeburg@intel.com, anthony.l.nguyen@intel.com,
        davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
        pabeni@redhat.com, richardcochran@gmail.com, ast@kernel.org,
        daniel@iogearbox.net, hawk@kernel.org, john.fastabend@gmail.com,
        intel-wired-lan@lists.osuosl.org, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org
Cc:     Lin Ma <linma@zju.edu.cn>
Subject: [PATCH v1] ice: Add length check for IFLA_AF_SPEC parsing
Date:   Sun, 23 Jul 2023 15:52:39 +0800
Message-Id: <20230723075239.3710086-1-linma@zju.edu.cn>
X-Mailer: git-send-email 2.17.1
X-CM-TRANSID: cC_KCgA3P79J3LxkwFN_Cw--.18699S4
X-Coremail-Antispam: 1UD129KBjvJXoWrZw4DGFy5WFW5Cr4DKr1kAFb_yoW8JF45pa
        4Dta4Ivry8Xr4fWayfXa18Zr98Wa9xtr90gF43tws5ZwnYqFn8Jr9FkF909ry8AFWYkF1a
        yF4UCFyfZasrXFUanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
        9KBjDU0xBIdaVrnRJUUUvC14x267AKxVW5JVWrJwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0
        rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02
        1l84ACjcxK6xIIjxv20xvE14v26w1j6s0DM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r4U
        JVWxJr1l84ACjcxK6I8E87Iv67AKxVW0oVCq3wA2z4x0Y4vEx4A2jsIEc7CjxVAFwI0_Gc
        CE3s1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2WlYx0E
        2Ix0cI8IcVAFwI0_JrI_JrylYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkEbVWUJV
        W8JwACjcxG0xvY0x0EwIxGrwACjI8F5VA0II8E6IAqYI8I648v4I1lFIxGxcIEc7CjxVA2
        Y2ka0xkIwI1lc2xSY4AK67AK6r4xMxAIw28IcxkI7VAKI48JMxC20s026xCaFVCjc4AY6r
        1j6r4UMI8I3I0E5I8CrVAFwI0_Jr0_Jr4lx2IqxVCjr7xvwVAFwI0_JrI_JrWlx4CE17CE
        b7AF67AKxVWUtVW8ZwCIc40Y0x0EwIxGrwCI42IY6xIIjxv20xvE14v26r1j6r1xMIIF0x
        vE2Ix0cI8IcVCY1x0267AKxVW8JVWxJwCI42IY6xAIw20EY4v20xvaj40_Jr0_JF4lIxAI
        cVC2z280aVAFwI0_Jr0_Gr1lIxAIcVC2z280aVCY1x0267AKxVW8JVW8JrUvcSsGvfC2Kf
        nxnUUI43ZEXa7VUbEksDUUUUU==
X-CM-SenderInfo: qtrwiiyqvtljo62m3hxhgxhubq/
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,
        RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE
        autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

The nla_for_each_nested parsing in function ice_bridge_setlink() does
not check the length of the nested attribute. This can lead to an
out-of-attribute read and allow a malformed nlattr (e.g., length 0) to
be viewed as a 2 byte integer.

This patch adds the check based on nla_len() just as other code does,
see how bnxt_bridge_setlink (drivers/net/ethernet/broadcom/bnxt/bnxt.c)
parses IFLA_AF_SPEC: type checking plus length checking.

Fixes: b1edc14a3fbf ("ice: Implement ice_bridge_getlink and ice_bridge_setlink")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
---
 drivers/net/ethernet/intel/ice/ice_main.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c
index 19a5e7f3a075..85730075dcb4 100644
--- a/drivers/net/ethernet/intel/ice/ice_main.c
+++ b/drivers/net/ethernet/intel/ice/ice_main.c
@@ -7701,6 +7701,10 @@ ice_bridge_setlink(struct net_device *dev, struct nlmsghdr *nlh,
 
 		if (nla_type(attr) != IFLA_BRIDGE_MODE)
 			continue;
+
+		if (nla_len(attr) < sizeof(mode))
+			return -EINVAL;
+
 		mode = nla_get_u16(attr);
 		if (mode != BRIDGE_MODE_VEPA && mode != BRIDGE_MODE_VEB)
 			return -EINVAL;
-- 
2.17.1