lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <1573671079-27248-1-git-send-email-michael.chan@broadcom.com>
Date:   Wed, 13 Nov 2019 13:51:19 -0500
From:   Michael Chan <michael.chan@...adcom.com>
To:     davem@...emloft.net
Cc:     netdev@...r.kernel.org, olof@...om.net,
        Venkat Duvvuru <venkatkumar.duvvuru@...adcom.com>
Subject: [PATCH net-next] bnxt_en: Fix array overrun in bnxt_fill_l2_rewrite_fields().

From: Venkat Duvvuru <venkatkumar.duvvuru@...adcom.com>

Fix the array overrun while keeping the eth_addr and eth_addr_mask
pointers as u16 to avoid unaligned u16 access.  These were overlooked
when modifying the code to use u16 pointer for proper alignment.

Fixes: 90f906243bf6 ("bnxt_en: Add support for L2 rewrite")
Reported-by: Olof Johansson <olof@...om.net>
Signed-off-by: Venkat Duvvuru <venkatkumar.duvvuru@...adcom.com>
Signed-off-by: Michael Chan <michael.chan@...adcom.com>
---
 drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c | 4 ++--
 drivers/net/ethernet/broadcom/bnxt/bnxt_tc.h | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c
index 174412a..0cc6ec5 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c
@@ -166,8 +166,8 @@ bnxt_fill_l2_rewrite_fields(struct bnxt_tc_actions *actions,
 			actions->l2_rewrite_dmac[j] = cpu_to_be16(*(p + j));
 	}
 
-	if (!is_wildcard(&eth_addr_mask[ETH_ALEN], ETH_ALEN)) {
-		if (!is_exactmatch(&eth_addr_mask[ETH_ALEN], ETH_ALEN))
+	if (!is_wildcard(&eth_addr_mask[ETH_ALEN / 2], ETH_ALEN)) {
+		if (!is_exactmatch(&eth_addr_mask[ETH_ALEN / 2], ETH_ALEN))
 			return -EINVAL;
 		/* FW expects smac to be in u16 array format */
 		p = &eth_addr[ETH_ALEN / 2];
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_tc.h b/drivers/net/ethernet/broadcom/bnxt/bnxt_tc.h
index 2867549..10c62b0 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_tc.h
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_tc.h
@@ -64,9 +64,9 @@ struct bnxt_tc_tunnel_key {
 
 #define bnxt_eth_addr_key_mask_invalid(eth_addr, eth_addr_mask)		\
 	((is_wildcard(&(eth_addr)[0], ETH_ALEN) &&			\
-	 is_wildcard(&(eth_addr)[ETH_ALEN], ETH_ALEN)) ||		\
+	 is_wildcard(&(eth_addr)[ETH_ALEN / 2], ETH_ALEN)) ||		\
 	(is_wildcard(&(eth_addr_mask)[0], ETH_ALEN) &&			\
-	 is_wildcard(&(eth_addr_mask)[ETH_ALEN], ETH_ALEN)))
+	 is_wildcard(&(eth_addr_mask)[ETH_ALEN / 2], ETH_ALEN)))
 
 struct bnxt_tc_actions {
 	u32				flags;
-- 
2.5.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ