Commit 297e77e5 authored Sep 10, 2020 by Petr Machata Committed by David S. Miller Sep 10, 2020

net: DCB: Validate DCB_ATTR_DCB_BUFFER argument



The parameter passed via DCB_ATTR_DCB_BUFFER is a struct dcbnl_buffer. The
field prio2buffer is an array of IEEE_8021Q_MAX_PRIORITIES bytes, where
each value is a number of a buffer to direct that priority's traffic to.
That value is however never validated to lie within the bounds set by
DCBX_MAX_BUFFERS. The only driver that currently implements the callback is
mlx5 (maintainers CCd), and that does not do any validation either, in
particual allowing incorrect configuration if the prio2buffer value does
not fit into 4 bits.

Instead of offloading the need to validate the buffer index to drivers, do
it right there in core, and bounce the request if the value is too large.

CC: Parav Pandit <parav@nvidia.com>
CC: Saeed Mahameed <saeedm@nvidia.com>
Fixes: e549f6f9 ("net/dcb: Add dcbnl buffer attribute")
Signed-off-by: Petr Machata <petrm@nvidia.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent cdaa7a73

net/dcb/dcbnl.c

+8 −0

Original line number	Diff line number	Diff line
		@@ -1426,6 +1426,7 @@ static int dcbnl_ieee_set(struct net_device netdev, struct nlmsghdr nlh,
		{
		const struct dcbnl_rtnl_ops *ops = netdev->dcbnl_ops;
		struct nlattr *ieee[DCB_ATTR_IEEE_MAX + 1];
		int prio;
		int err;

		if (!ops)
		@@ -1475,6 +1476,13 @@ static int dcbnl_ieee_set(struct net_device netdev, struct nlmsghdr nlh,
		struct dcbnl_buffer *buffer =
		nla_data(ieee[DCB_ATTR_DCB_BUFFER]);

		for (prio = 0; prio < ARRAY_SIZE(buffer->prio2buffer); prio++) {
		if (buffer->prio2buffer[prio] >= DCBX_MAX_BUFFERS) {
		err = -EINVAL;
		goto err;
		}
		}

		err = ops->dcbnl_setbuffer(netdev, buffer);
		if (err)
		goto err;

Admin message