[PATCH v2] net/txgbe: fix out of bound access

Ferruh Yigit ferruh.yigit at amd.com
Fri Nov 17 11:12:04 CET 2023

Previous message (by thread): [PATCH] net/txgbe: fix out of bound access
Next message (by thread): [PATCH v2] net/txgbe: fix out of bound access
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Reported by SuSe CI [1] by GCC [2], possibly false positive. Error:

 In function 'txgbe_host_interface_command',
     inlined from 'txgbe_host_interface_command'
             at ../drivers/net/txgbe/base/txgbe_mng.c:104:1,
     inlined from 'txgbe_hic_reset'
             at ../drivers/net/txgbe/base/txgbe_mng.c:345:9:
 ../drivers/net/txgbe/base/txgbe_mng.c:145:36:
    error: array subscript 2 is outside array bounds ofr
           'struct txgbe_hic_reset[1]' [-Werror=array-bounds=]
   145 |                     buffer[bi] = rd32a(hw, TXGBE_MNGMBX, bi);
 ../drivers/net/txgbe/base/txgbe_mng.c: In function 'txgbe_hic_reset':
 ../drivers/net/txgbe/base/txgbe_mng.c:331:32:
    note: at offset 8 into object 'reset_cmd' of size 8
   331 |         struct txgbe_hic_reset reset_cmd;
       |                                ^~~~~~~~~

Access to buffer done based on command code, the case complained by
FW_RESET_CMD has short buffer but this code path only taken with command
0x30, so this shouldn't be a problem.

Command 0x30 no more used, removing this exception check that cause
build error.

[1]
https://build.opensuse.org/public/build/home:bluca:dpdk/openSUSE_Factory_ARM/armv7l/dpdk-20.11/_log

[2]
gcc 13.2.1 "cc (SUSE Linux) 13.2.1 20230912

Fixes: 35c90ecccfd4 ("net/txgbe: add EEPROM functions")
Cc: stable at dpdk.org

Reported-by: Luca Boccassi <luca.boccassi at microsoft.com>
Signed-off-by: Ferruh Yigit <ferruh.yigit at amd.com>
---
Cc: jiawenwu at trustnetic.com
Cc: jianwang at trustnetic.com

v2:
* Removed exception check for command 0x30
---
 drivers/net/txgbe/base/txgbe_mng.c | 16 +---------------
 1 file changed, 1 insertion(+), 15 deletions(-)

diff --git a/drivers/net/txgbe/base/txgbe_mng.c b/drivers/net/txgbe/base/txgbe_mng.c
index df7145094f84..029a0a1fe143 100644
--- a/drivers/net/txgbe/base/txgbe_mng.c
+++ b/drivers/net/txgbe/base/txgbe_mng.c
@@ -141,21 +141,7 @@ txgbe_host_interface_command(struct txgbe_hw *hw, u32 *buffer,
 	for (bi = 0; bi < dword_len; bi++)
 		buffer[bi] = rd32a(hw, TXGBE_MNGMBX, bi);
 
-	/*
-	 * If there is any thing in data position pull it in
-	 * Read Flash command requires reading buffer length from
-	 * two byes instead of one byte
-	 */
-	if (resp->cmd == 0x30) {
-		for (; bi < dword_len + 2; bi++)
-			buffer[bi] = rd32a(hw, TXGBE_MNGMBX, bi);
-
-		buf_len = (((u16)(resp->cmd_or_resp.ret_status) << 3)
-				  & 0xF00) | resp->buf_len;
-		hdr_size += (2 << 2);
-	} else {
-		buf_len = resp->buf_len;
-	}
+	buf_len = resp->buf_len;
 	if (!buf_len)
 		goto rel_out;
 
-- 
2.34.1

Previous message (by thread): [PATCH] net/txgbe: fix out of bound access
Next message (by thread): [PATCH v2] net/txgbe: fix out of bound access
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list