ixgbe: Correct length check for round up
authorMark Rustad <mark.d.rustad@intel.com>
Mon, 14 Mar 2016 18:05:51 +0000 (11:05 -0700)
committerJeff Kirsher <jeffrey.t.kirsher@intel.com>
Thu, 7 Apr 2016 22:30:16 +0000 (15:30 -0700)
The function ixgbe_host_interface_command actually uses a multiple
of word sized buffer to do its business, but only checks against
the actual length passed in. This means that on read operations it
could be possible to modify locations beyond the length passed in.
Change the check to round up in the same way, just to avoid any
possible hazard.

Signed-off-by: Mark Rustad <mark.d.rustad@intel.com>
Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
drivers/net/ethernet/intel/ixgbe/ixgbe_common.c

index dfdb1149b6fd2c7d1ea5a65f4376ca1bffc95404..a2ca9ef0daabbbc486011818f32579d207db9adc 100644 (file)
@@ -3557,7 +3557,7 @@ s32 ixgbe_host_interface_command(struct ixgbe_hw *hw, u32 *buffer,
        if (buf_len == 0)
                return 0;
 
-       if (length < (buf_len + hdr_size)) {
+       if (length < round_up(buf_len, 4) + hdr_size) {
                hw_dbg(hw, "Buffer not large enough for reply message.\n");
                return IXGBE_ERR_HOST_INTERFACE_COMMAND;
        }