net/enic: fix raw item length check
Checks
Commit Message
Currently, the raw item is always preceeded by a UDP header, and both
land in the L4 pattern buffer. So consider the UDP header size when
checking if the raw spec fits in the L4 buffer.
Coverity issue: 336796
Coverity issue: 336850
Fixes: 477959e6eeb0 ("net/enic: enable limited support for raw flow item")
Signed-off-by: Hyong Youb Kim <hyonkim@cisco.com>
Reviewed-by: John Daley <johndale@cisco.com>
---
drivers/net/enic/enic_flow.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
Comments
On 4/9/2019 7:40 AM, Hyong Youb Kim wrote:
> Currently, the raw item is always preceeded by a UDP header, and both
> land in the L4 pattern buffer. So consider the UDP header size when
> checking if the raw spec fits in the L4 buffer.
>
> Coverity issue: 336796
> Coverity issue: 336850
> Fixes: 477959e6eeb0 ("net/enic: enable limited support for raw flow item")
>
> Signed-off-by: Hyong Youb Kim <hyonkim@cisco.com>
> Reviewed-by: John Daley <johndale@cisco.com>
Applied to dpdk-next-net/master, thanks.
@@ -967,7 +967,8 @@ enic_copy_item_raw_v2(struct copy_item_args *arg)
if (!spec->relative || spec->offset != 0 || spec->search || spec->limit)
return EINVAL;
/* Need non-null pattern that fits within the NIC's filter pattern */
- if (spec->length == 0 || spec->length > FILTER_GENERIC_1_KEY_LEN ||
+ if (spec->length == 0 ||
+ spec->length + sizeof(struct udp_hdr) > FILTER_GENERIC_1_KEY_LEN ||
!spec->pattern || !mask->pattern)
return EINVAL;
/*