提交 b7c1a314 编写于 作者: T Thomas Graf 提交者: David S. Miller

net: Validate IFLA_BRIDGE_MODE attribute length

Payload is currently accessed blindly and may exceed valid message
boundaries.

Fixes: a77dcb8c ("be2net: set and query VEB/VEPA mode of the PF interface")
Fixes: 815cccbf ("ixgbe: add setlink, getlink support to ixgbe and ixgbevf")
Cc: Ajit Khaparde <ajit.khaparde@emulex.com>
Cc: John Fastabend <john.r.fastabend@intel.com>
Signed-off-by: NThomas Graf <tgraf@suug.ch>
Acked-by: NJeff Kirsher <jeffrey.t.kirsher@intel.com>
Acked-by: NJohn Fastabend <john.r.fastabend@intel.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
上级 6e8d1c55
...@@ -4314,6 +4314,9 @@ static int be_ndo_bridge_setlink(struct net_device *dev, struct nlmsghdr *nlh) ...@@ -4314,6 +4314,9 @@ static int be_ndo_bridge_setlink(struct net_device *dev, struct nlmsghdr *nlh)
if (nla_type(attr) != IFLA_BRIDGE_MODE) if (nla_type(attr) != IFLA_BRIDGE_MODE)
continue; continue;
if (nla_len(attr) < sizeof(mode))
return -EINVAL;
mode = nla_get_u16(attr); mode = nla_get_u16(attr);
if (mode != BRIDGE_MODE_VEPA && mode != BRIDGE_MODE_VEB) if (mode != BRIDGE_MODE_VEPA && mode != BRIDGE_MODE_VEB)
return -EINVAL; return -EINVAL;
......
...@@ -7677,6 +7677,9 @@ static int ixgbe_ndo_bridge_setlink(struct net_device *dev, ...@@ -7677,6 +7677,9 @@ static int ixgbe_ndo_bridge_setlink(struct net_device *dev,
if (nla_type(attr) != IFLA_BRIDGE_MODE) if (nla_type(attr) != IFLA_BRIDGE_MODE)
continue; continue;
if (nla_len(attr) < sizeof(mode))
return -EINVAL;
mode = nla_get_u16(attr); mode = nla_get_u16(attr);
if (mode == BRIDGE_MODE_VEPA) { if (mode == BRIDGE_MODE_VEPA) {
reg = 0; reg = 0;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册