[PATCH net 3/6] net/ncsi: validate GMCMA address counts against the payload
From: Michael Bommarito
Date: Wed Apr 22 2026 - 12:07:56 EST
Get MC MAC Address responses carry a flexible array of provisioned
addresses, but the handler currently trusts address_count without first
checking that the advertised payload actually contains that many MAC
entries.
Validate the fixed GMCMA fields plus checksum, then make sure the
address_count fits in the remaining payload before the handler walks
the address array.
Fixes: b8291cf3d118 ("net/ncsi: Add NC-SI 1.2 Get MC MAC Address command")
Cc: stable@xxxxxxxxxxxxxxx
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@xxxxxxxxx>
---
net/ncsi/ncsi-rsp.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c
index 47ddf2bbb13b..cbddb2012f90 100644
--- a/net/ncsi/ncsi-rsp.c
+++ b/net/ncsi/ncsi-rsp.c
@@ -40,6 +40,14 @@ static bool ncsi_filter_is_enabled(unsigned long enable, unsigned int index,
return index < nbits && (enable & BIT(index));
}
+static unsigned int ncsi_rsp_payload(struct sk_buff *skb)
+{
+ struct ncsi_rsp_pkt_hdr *h;
+
+ h = (struct ncsi_rsp_pkt_hdr *)skb_network_header(skb);
+ return ntohs(h->common.length);
+}
+
static int ncsi_validate_rsp_pkt(struct ncsi_request *nr,
unsigned short payload)
{
@@ -1127,9 +1135,21 @@ static int ncsi_rsp_handler_gmcma(struct ncsi_request *nr)
struct sockaddr_storage *saddr = &ndp->pending_mac;
struct net_device *ndev = ndp->ndev.dev;
struct ncsi_rsp_gmcma_pkt *rsp;
+ unsigned int addr_bytes;
+ unsigned int payload;
int i;
rsp = (struct ncsi_rsp_gmcma_pkt *)skb_network_header(nr->rsp);
+ payload = ncsi_rsp_payload(nr->rsp);
+ if (payload < sizeof(rsp->address_count) + sizeof(rsp->reserved) +
+ sizeof(__be32))
+ return -EINVAL;
+
+ addr_bytes = payload - sizeof(rsp->address_count) -
+ sizeof(rsp->reserved) - sizeof(__be32);
+ if (rsp->address_count > addr_bytes / ETH_ALEN)
+ return -EINVAL;
+
ndev->priv_flags |= IFF_LIVE_ADDR_CHANGE;
netdev_info(ndev, "NCSI: Received %d provisioned MAC addresses\n",
--
2.53.0