Commit d5be9df0 authored Oct 26, 2018 by Alice Michael Committed by Greg Kroah-Hartman Dec 13, 2019

virtchnl: Fix off by one error



[ Upstream commit 843faff87af261bf55eda719a06087af0486a168 ]

When calculating the valid length for a VIRTCHNL_OP_ENABLE_CHANNELS
message, we accidentally allowed messages with one extra
virtchnl_channel_info structure on the end. This happened due
to an off by one error, because we forgot that valid_len already
accounted for one virtchnl_channel_info structure, so we need to
subtract one from the num_tc value.

Signed-off-by: Alice Michael <alice.michael@intel.com>
Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

parent ea962fa1

include/linux/avf/virtchnl.h

+2 −2

Original line number	Original line	Diff line number	Diff line
	@@ -798,7 +798,7 @@ virtchnl_vc_validate_vf_msg(struct virtchnl_version_info *ver, u32 v_opcode,
	if (msglen >= valid_len) {		if (msglen >= valid_len) {
	struct virtchnl_tc_info *vti =		struct virtchnl_tc_info *vti =
	(struct virtchnl_tc_info *)msg;		(struct virtchnl_tc_info *)msg;
	valid_len += vti->num_tc *		valid_len += (vti->num_tc - 1) *
	sizeof(struct virtchnl_channel_info);		sizeof(struct virtchnl_channel_info);
	if (vti->num_tc == 0)		if (vti->num_tc == 0)
	err_msg_format = true;		err_msg_format = true;