On Fri, Nov 03, 2023 at 05:57:48PM +0530, Yuran Pereira wrote:
The functions `bcmasp_netfilt_rd` and `bcmasp_netfilt_wr` both call
`bcmasp_netfilt_get_reg_offset` which, when it fails, returns `-EINVAL`.
This could lead to an out-of-bounds read or write when `rx_filter_core_rl`
or `rx_filter_core_wl` is called.
This patch adds a check in both functions to return immediately if
`bcmasp_netfilt_get_reg_offset` fails. This prevents potential out-of-bounds read
or writes, and ensures that no undefined or buggy behavior would originate from
the failure of `bcmasp_netfilt_get_reg_offset`.
Addresses-Coverity-IDs: 1544536 ("Out-of-bounds access")
Signed-off-by: Yuran Pereira <yuran.pereira@xxxxxxxxxxx>
---
drivers/net/ethernet/broadcom/asp2/bcmasp.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/ethernet/broadcom/asp2/bcmasp.c b/drivers/net/ethernet/broadcom/asp2/bcmasp.c
index 29b04a274d07..8b90b761bdec 100644
--- a/drivers/net/ethernet/broadcom/asp2/bcmasp.c
+++ b/drivers/net/ethernet/broadcom/asp2/bcmasp.c
@@ -227,6 +227,8 @@ static void bcmasp_netfilt_wr(struct bcmasp_priv *priv,
reg_offset = bcmasp_netfilt_get_reg_offset(priv, nfilt, reg_type,
offset);
+ if (reg_offset < 0)
+ return;
rx_filter_core_wl(priv, val, reg_offset);
}
@@ -244,6 +246,8 @@ static u32 bcmasp_netfilt_rd(struct bcmasp_priv *priv,
reg_offset = bcmasp_netfilt_get_reg_offset(priv, nfilt, reg_type,
offset);
+ if (reg_offset < 0)
+ return 0;
Shouldn't you return an error here?
thanks
greg k-h
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature