From nobody Fri Jun 19 19:36:32 2026 Received: from mail-ua1-f52.google.com (mail-ua1-f52.google.com [209.85.222.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C33EF223DE7 for ; Wed, 22 Apr 2026 16:05:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.52 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776873910; cv=none; b=hfJj7fz1yejD01Hv0C9L6cqmT3MO4zMEnXZVEDh7Pobcfyxa+934sGArJ8QRrkJrvWgin33c2twldl95DD7tX5zWSW5t6JJ+ZEZFw7k2lOHTY2izmGw/qX/E8yBVZhQelcym+TTgFJAslLwKzSaHjmcPXHm2dj5WrRmXJ/EMibM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776873910; c=relaxed/simple; bh=VQKE++kSkNnafuk9pDx8+P5r00uAWKMmjuCw7JxQ0NE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=BknmKbIlh+dFuFCDwJGeJiSdtDAfWu2UFWXEhLPjcMbATOcGOarUT+UBm5hJOlkXHqfKrpJgBxKkXngNIZBtbBbNl6NJzsnPdBssGulxHnf44H6/hcmL+UNGh1bsDMOLlcxBn8s9G0hEV3Q5mPIOB23adhGU7htZGYpWtb/mpXI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=gica2eBG; arc=none smtp.client-ip=209.85.222.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="gica2eBG" Received: by mail-ua1-f52.google.com with SMTP id a1e0cc1a2514c-953a44f8404so1146274241.0 for ; Wed, 22 Apr 2026 09:05:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776873906; x=1777478706; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=dbIScAHLkzfolps6mpjGZEZ/01fVfgMv8ysDQ0vf3Jk=; b=gica2eBGAKJXaP9LEss1tHCTUHXVXf8+exWJcWNUvCxyZ4HZOB1ZRIe3GEG8V8SZvB Uoo+D8ID1zQQRGbDiL9AptZn445zEe2O0W16viafB/jxwResCBnO0r4t5Z4BtW8eScb1 5GybJi3mlchaNApHnSQLq9137Cyu4pTo8yut0QXe3+5KzhYtZIFJT6cKy06G2JZMA7Fd 9egIp0H0X4bD9k/+5ABSaFd+PaD5a0EBgswdIb7efsn2V7cElQHkHSKWAH0DQ78hXYda MC62vGDwdU439cD0XXN8m/PvguwxNjJVDOBQ8yBBiEPXdiaThbhvaFNWhSABr8P4aJlW cVGQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776873906; x=1777478706; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=dbIScAHLkzfolps6mpjGZEZ/01fVfgMv8ysDQ0vf3Jk=; b=qa+Q6K33tzVSTzV3+gAG6EVeQaI4BLC/8O5506IsiKp/2AkEZ8+zvglVsZ8mRcHI9q uF1fqzpBtczv/4+J16NkFXmAGgZjAv4jDPK0tgGBNbz9bAkhVQzifFA+MPF3rIZVAf+R IKIDctCCrgxpHzJErCkzHI71yiz85Djdabds/YA8IbPMiZkDMryty6Xqd/6ckbMsmUae G+LTDI+oOu58x0/SxB6Qb8qSq2s+bTbRRh/EYJVH/e6Fa6enrmiUoDM8io7x91v3OGIf EdZPNjy4UPRQQf254/+8OsM3PiUxIWwFXxWJbf/Baeqn3+BjDN1FTkA8GQAmkIcW5ckl Cheg== X-Forwarded-Encrypted: i=1; AFNElJ9pLVjXhAWsF/Q9srH8a8iKsQ/2BLbfCyKpr7t2AW5i/SpV71VliRpQg8qDGxDcphB1OJtseG8yRS1ra90=@vger.kernel.org X-Gm-Message-State: AOJu0Yz+GD8n4j6D/70yl+e5c7oyjKxVcikItddZMeXnqosNAyiy5mN+ vgntonxdTtdJjASlZ45BX8AXAlbLvEiVQNoKn01XqZVtbhE+SNdx3MdJ X-Gm-Gg: AeBDievAiBy5/nsQUEir8xJFuUlh7yFdgf8s2OoT0ukty6BjK7NBvT+eYXwWGYODdam egY4hj6EsXHOXld8MopBilGvS+n95AGgDdPAchmE30NtIRlh8Lj7yXGYXI/Ao4p6Wn3HnD4TVP5 K/wqww5XG/TIcdt1UXm68QwlXNO5LSke43Vh6SVOSCYCA3vI7NCNJvqjMBPLxhFgX3y/waFOofD Iu6/HSfd+Ph58/X+GzX0hsP/gJbrCkpO4xHlWjzdoDxUSxvhvVlKw4yc6D3jNsZu//2/CAMT9Uc 52dhpcgV3afq3MHJi1zcU4PaDK7pw2Z+PnahqU9nfIxYqxq82P/lQMSQ5no0LoiBljKCpwqNkNu rTlv3V3r141MMutDGiG2Pfaei0nIFTM3oezdsgx3Kd4KrRlb6OVv8Xg4rXWvEIo5oQ1A218owEr QmYbxn2gDppW8EHvIcov4bDHUtcjFNYEIUs6akZIZYIkdo2bWId3JgDbY7iDNE0BQ6QIjES91th zgcORxXHuPRSjB6dAzQxjy4I9zMs/E= X-Received: by 2002:a05:6102:5987:b0:613:95c8:d941 with SMTP id ada2fe7eead31-616f4f6f185mr10900447137.10.1776873906029; Wed, 22 Apr 2026 09:05:06 -0700 (PDT) Received: from server0 (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-8b02ac462d9sm136370786d6.7.2026.04.22.09.05.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Apr 2026 09:05:05 -0700 (PDT) From: Michael Bommarito To: Samuel Mendoza-Jonas , Paul Fertser , netdev@vger.kernel.org Cc: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , linux-kernel@vger.kernel.org, Michael Bommarito , stable@vger.kernel.org Subject: [PATCH net 1/6] net/ncsi: validate response packet lengths against the skb Date: Wed, 22 Apr 2026 12:03:37 -0400 Message-ID: <20260422160342.1975093-2-michael.bommarito@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260422160342.1975093-1-michael.bommarito@gmail.com> References: <20260422160342.1975093-1-michael.bommarito@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" ncsi_rcv_rsp() reads the common packet header before checking that the skb contains enough data for it, and ncsi_validate_rsp_pkt() trusts the response payload length before accessing the checksum field. Malformed NC-SI replies can therefore drive header and checksum reads past the received packet body. Make the dispatcher pull the common header first, then have ncsi_validate_rsp_pkt() pull the full response body before validating the packet. This keeps malformed responses on the error path instead of letting the parser walk past the skb payload. Fixes: 138635cc27c9 ("net/ncsi: NCSI response packet handler") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Michael Bommarito --- net/ncsi/ncsi-rsp.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c index fbd84bc8026a..1fe061ede26d 100644 --- a/net/ncsi/ncsi-rsp.c +++ b/net/ncsi/ncsi-rsp.c @@ -38,11 +38,18 @@ static int ncsi_validate_rsp_pkt(struct ncsi_request *n= r, struct ncsi_rsp_pkt_hdr *h; u32 checksum; __be32 *pchecksum; + unsigned int len; =20 /* Check NCSI packet header. We don't need validate * the packet type, which should have been checked * before calling this function. */ + len =3D skb_network_offset(nr->rsp) + sizeof(*h) + ALIGN(payload, 4); + if (!pskb_may_pull(nr->rsp, len)) { + netdev_dbg(nr->ndp->ndev.dev, "NCSI: packet too short\n"); + return -EINVAL; + } + h =3D (struct ncsi_rsp_pkt_hdr *)skb_network_header(nr->rsp); =20 if (h->common.revision !=3D NCSI_PKT_REVISION) { @@ -1182,6 +1189,11 @@ int ncsi_rcv_rsp(struct sk_buff *skb, struct net_dev= ice *dev, } =20 /* Check if it is AEN packet */ + if (!pskb_may_pull(skb, skb_network_offset(skb) + sizeof(*hdr))) { + ret =3D -EINVAL; + goto err_free_skb; + } + hdr =3D (struct ncsi_pkt_hdr *)skb_network_header(skb); if (hdr->type =3D=3D NCSI_PKT_AEN) return ncsi_aen_handler(ndp, skb); --=20 2.53.0 From nobody Fri Jun 19 19:36:32 2026 Received: from mail-ua1-f45.google.com (mail-ua1-f45.google.com [209.85.222.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5519F3264F7 for ; Wed, 22 Apr 2026 16:05:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.45 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776873912; cv=none; b=UHihG5N/GAYrCdzCeojSzaaudxYxLldTHp0tIVOrqiYjdzJFR+nemz66jc5VXI2CraX2moMfw6nAqjrJfAc4b6upftiCbkGqCe5nvhD+R0SqN/LjdPuwBo2VkauMCnzhsdt3bv4eJIK4HDmjsbPMMjGj7nQdZ8fGjUVNK8sQNyE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776873912; c=relaxed/simple; bh=Z9kfZQjc8u03pqVuFhO2vTd+dmQQl8Rd9xzVj4p/OEM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=YNAqCK8HzmPf1+lyTEWAlsFI1/MMXur7OQo5zMHrNhM/2xJfD1IBkB5KSYZAmsNzrlkD4y0X2mcuqqELhPMMdJjCabO6oqBSosJI1ZzjalSUde0OplVniPS11B+D0aEW5l3ztSJN7rAHa/LwM7v4A3nDResTedYuufGcvjTKz64= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=jjGH35/P; arc=none smtp.client-ip=209.85.222.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="jjGH35/P" Received: by mail-ua1-f45.google.com with SMTP id a1e0cc1a2514c-953ac1602f8so3888941241.1 for ; Wed, 22 Apr 2026 09:05:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776873908; x=1777478708; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=T41S3e1bOdreWpo/hZ3sh+PHsdpPzBXbDDp5teurtVY=; b=jjGH35/Puy/6TqBUceLbIC0ITq2GN81G7Kwdm+TElSqcGJ+8p+5c4t+LzpT3O6ells Wa8TwC7reqlWwkMXgznIq+w6bJ/hkocmpiIQsK3O0Ui/Qw8ZyElT3lIAX9/jTXIV4esu 4b4uF74rv0UR8nIQwShdCO7iFJitQw4RbWRvm7bi4MsMOf9AoeQmiPpX3nKjAyjDzyFW cMw6jSrpgqN6clVckuRl+yRKlJT4ZzOV1zvHx/nxHetQYSl2rbmBe0hmd0FpkMAAohlt NUgzSWNVfbb6ruIYuh9CFkWv+dVmPtf9hFmNP2R6Jcrr09EfdfGXtGj0Q/JH6BHlO1VB 1zTA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776873908; x=1777478708; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=T41S3e1bOdreWpo/hZ3sh+PHsdpPzBXbDDp5teurtVY=; b=Xymi2IO5oU1pcBawoNPA/hzAvwFvW2zIrw7AR8ISjdt2/gAVO9XnV4lxARx0xobV8i 4dCv1pf1Qkn2lLMewl95wXysT0sDNDBcqJZdQvZouou2RSs0/4DPxTvGJX4g2Vzot0bG jyh3SOksGon5OPhetrwTFxOMqL+PuyavLvQ8eqAeJii374CxVlL/xgfiAMRPBAhhAerC mPlhi7nXlLHGblQkobZUsx9AgadZMfP8NvzpXgW9YEPmZJxgSRJdK1YMo7KoAwwGCQUa FP8fQVH3o/yFbmgk+s02ZELjXycoE7zLSBVHrNTPTDsbjjCnS7Ri+77jWEvZhTcV/xnE n/ng== X-Forwarded-Encrypted: i=1; AFNElJ9obiF9VkOXd5inRflmp6CJLmVSbvO4qcvp1tT9mCc+j8cn8pJBZbMB+J0nSYrOEbhJVh4ndzvpPUBhmnE=@vger.kernel.org X-Gm-Message-State: AOJu0YxM8HLE3gp9tJCeM5CHLOGs6k2rLXLV9D4l19iEb2x5mDYogmRz ZpwGfHI1X61GWMY3nf75E/gRZg30j4Vth27aMDfc9Kb43ekne/zENzg/ X-Gm-Gg: AeBDiesLQ0QOVYU85LBU87eohXH2XWWTjDErhTVIK6TwBGGkJNI/HKjDRLf4jLMrB4C wvLks+zuIjnLaS0D73wIAODQ6hxhAmdc/O4t/P9D4l0EtXAzWVofsAbMauQKjsdGipg0SGNZT1Y CHUeorHZvMdkgKmCjG0MecGhK2DPDE9Rb/h1op/UaJtOQD0vMcMeXxUbhOBEAC4wLVMpvWi6oDw ZSNvWeZXTthFVPyPvyhU9tKmXS/kTC3bWTIWg3gDBgFISNe74PjSWRbfLOgKvIeb76uwmiywZi7 iASYNmk67Kkb1tjwRX9EoIJTWeaQ9fYMcuFCk3Gm4G61M991g7x+6b5EcMcHdT/z4fUPONmR54i BXawJZD2o/+acPobNGWiFdF4JBs3X8YLtR4URoVbuGGe2ZSXvi27ZGe61GyM9yP1F2aiJrXeRV8 sv0WpPH0YIm4JJkQX4okqd77kMPopN8wpI31On2ZtfnFvehj1muH2ziD4TELN2nKpuWk+gZcH6q l8D4M04rCyYi291gmNPT9eTy5ek9cM= X-Received: by 2002:a05:6102:418e:b0:5ff:dffc:7949 with SMTP id ada2fe7eead31-616fe04aa37mr7617322137.12.1776873907505; Wed, 22 Apr 2026 09:05:07 -0700 (PDT) Received: from server0 (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-8b02ac462d9sm136370786d6.7.2026.04.22.09.05.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Apr 2026 09:05:06 -0700 (PDT) From: Michael Bommarito To: Samuel Mendoza-Jonas , Paul Fertser , netdev@vger.kernel.org Cc: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , linux-kernel@vger.kernel.org, Michael Bommarito , stable@vger.kernel.org Subject: [PATCH net 2/6] net/ncsi: bound filter table state to software limits Date: Wed, 22 Apr 2026 12:03:38 -0400 Message-ID: <20260422160342.1975093-3-michael.bommarito@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260422160342.1975093-1-michael.bommarito@gmail.com> References: <20260422160342.1975093-1-michael.bommarito@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The NCSI filter state uses single-word bitmaps for both MAC and VLAN entries, but Get Capabilities and Get Parameters responses can still feed larger counts into that state. Cap the stored VLAN table size to the bitmap width before it reaches the manage-side bitmap walkers, reject GP tables that exceed the sizes advertised by GC, and stop indexing the MAC filter bitmap past its software capacity. Also stop shifting past the width of the enable bitfields when GP reports more entries than fit in those masks. This keeps oversized or inconsistent filter counts from turning into out-of-bounds bitmap accesses and oversized table walks in the response and manage paths. A follow-up patch in this series separately validates that the GP payload actually covers the consumed MAC/VLAN table bytes. A live x86_64/KASAN QEMU repro can drive this after GC advertises a single MAC filter slot and GP then reports mac_cnt=3D65. Without this change, KASAN reports a slab-out-of-bounds write in ncsi_rsp_handler_gp(); with this change applied, the same reply is rejected with -ERANGE. Fixes: 062b3e1b6d4f ("net/ncsi: Refactor MAC, VLAN filters") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Michael Bommarito --- net/ncsi/ncsi-rsp.c | 46 ++++++++++++++++++++++++++++++++++++--------- 1 file changed, 37 insertions(+), 9 deletions(-) diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c index 1fe061ede26d..47ddf2bbb13b 100644 --- a/net/ncsi/ncsi-rsp.c +++ b/net/ncsi/ncsi-rsp.c @@ -22,6 +22,8 @@ /* Nibbles within [0xA, 0xF] add zero "0" to the returned value. * Optional fields (encoded as 0xFF) will default to zero. */ +#define NCSI_FILTER_BITS BITS_PER_TYPE(u64) + static u8 decode_bcd_u8(u8 x) { int lo =3D x & 0xF; @@ -32,6 +34,12 @@ static u8 decode_bcd_u8(u8 x) return lo + hi * 10; } =20 +static bool ncsi_filter_is_enabled(unsigned long enable, unsigned int inde= x, + unsigned int nbits) +{ + return index < nbits && (enable & BIT(index)); +} + static int ncsi_validate_rsp_pkt(struct ncsi_request *nr, unsigned short payload) { @@ -481,7 +489,8 @@ static int ncsi_rsp_handler_sma(struct ncsi_request *nr) bitmap =3D &ncf->bitmap; =20 if (cmd->index =3D=3D 0 || - cmd->index > ncf->n_uc + ncf->n_mc + ncf->n_mixed) + cmd->index > ncf->n_uc + ncf->n_mc + ncf->n_mixed || + cmd->index > NCSI_FILTER_BITS) return -ERANGE; =20 index =3D (cmd->index - 1) * ETH_ALEN; @@ -798,6 +807,7 @@ static int ncsi_rsp_handler_gc(struct ncsi_request *nr) struct ncsi_channel *nc; struct ncsi_package *np; size_t size; + unsigned int vlan_cnt; =20 /* Find the channel */ rsp =3D (struct ncsi_rsp_gc_pkt *)skb_network_header(nr->rsp); @@ -819,6 +829,12 @@ static int ncsi_rsp_handler_gc(struct ncsi_request *nr) nc->caps[NCSI_CAP_VLAN].cap =3D rsp->vlan_mode & NCSI_CAP_VLAN_MASK; =20 + vlan_cnt =3D min_t(unsigned int, rsp->vlan_cnt, NCSI_FILTER_BITS); + if (vlan_cnt !=3D rsp->vlan_cnt) + netdev_warn(ndp->ndev.dev, + "NCSI: VLAN filter count %u exceeds software limit %u\n", + rsp->vlan_cnt, (unsigned int)NCSI_FILTER_BITS); + size =3D (rsp->uc_cnt + rsp->mc_cnt + rsp->mixed_cnt) * ETH_ALEN; nc->mac_filter.addrs =3D kzalloc(size, GFP_ATOMIC); if (!nc->mac_filter.addrs) @@ -827,7 +843,7 @@ static int ncsi_rsp_handler_gc(struct ncsi_request *nr) nc->mac_filter.n_mc =3D rsp->mc_cnt; nc->mac_filter.n_mixed =3D rsp->mixed_cnt; =20 - nc->vlan_filter.vids =3D kcalloc(rsp->vlan_cnt, + nc->vlan_filter.vids =3D kcalloc(vlan_cnt, sizeof(*nc->vlan_filter.vids), GFP_ATOMIC); if (!nc->vlan_filter.vids) @@ -836,7 +852,7 @@ static int ncsi_rsp_handler_gc(struct ncsi_request *nr) * configuration state */ nc->vlan_filter.bitmap =3D U64_MAX; - nc->vlan_filter.n_vids =3D rsp->vlan_cnt; + nc->vlan_filter.n_vids =3D vlan_cnt; np->ndp->channel_count =3D rsp->channel_cnt; =20 return 0; @@ -853,6 +869,9 @@ static int ncsi_rsp_handler_gp(struct ncsi_request *nr) unsigned char *pdata; unsigned long flags; void *bitmap; + unsigned int mac_cnt; + unsigned int mac_nbits; + unsigned int vlan_cnt; int i; =20 /* Find the channel */ @@ -862,6 +881,15 @@ static int ncsi_rsp_handler_gp(struct ncsi_request *nr) if (!nc) return -ENODEV; =20 + ncmf =3D &nc->mac_filter; + ncvf =3D &nc->vlan_filter; + mac_cnt =3D min_t(unsigned int, rsp->mac_cnt, NCSI_FILTER_BITS); + mac_nbits =3D ncmf->n_uc + ncmf->n_mc + ncmf->n_mixed; + vlan_cnt =3D min_t(unsigned int, rsp->vlan_cnt, ncvf->n_vids); + + if (rsp->mac_cnt > mac_nbits || rsp->vlan_cnt > ncvf->n_vids) + return -ERANGE; + /* Modes with explicit enabled indications */ if (ntohl(rsp->valid_modes) & 0x1) { /* BC filter mode */ nc->modes[NCSI_MODE_BC].enable =3D 1; @@ -887,11 +915,11 @@ static int ncsi_rsp_handler_gp(struct ncsi_request *n= r) /* MAC addresses filter table */ pdata =3D (unsigned char *)rsp + 48; enable =3D rsp->mac_enable; - ncmf =3D &nc->mac_filter; spin_lock_irqsave(&nc->lock, flags); bitmap =3D &ncmf->bitmap; - for (i =3D 0; i < rsp->mac_cnt; i++, pdata +=3D 6) { - if (!(enable & (0x1 << i))) + for (i =3D 0; i < mac_cnt; i++, pdata +=3D 6) { + if (!ncsi_filter_is_enabled(enable, i, + BITS_PER_TYPE(rsp->mac_enable))) clear_bit(i, bitmap); else set_bit(i, bitmap); @@ -902,11 +930,11 @@ static int ncsi_rsp_handler_gp(struct ncsi_request *n= r) =20 /* VLAN filter table */ enable =3D ntohs(rsp->vlan_enable); - ncvf =3D &nc->vlan_filter; bitmap =3D &ncvf->bitmap; spin_lock_irqsave(&nc->lock, flags); - for (i =3D 0; i < rsp->vlan_cnt; i++, pdata +=3D 2) { - if (!(enable & (0x1 << i))) + for (i =3D 0; i < vlan_cnt; i++, pdata +=3D 2) { + if (!ncsi_filter_is_enabled(enable, i, + BITS_PER_TYPE(rsp->vlan_enable))) clear_bit(i, bitmap); else set_bit(i, bitmap); --=20 2.53.0 From nobody Fri Jun 19 19:36:32 2026 Received: from mail-dy1-f173.google.com (mail-dy1-f173.google.com [74.125.82.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7A85337DEA9 for ; Wed, 22 Apr 2026 16:05:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.173 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776873912; cv=none; b=JNzrT2heB8vPUN1OSK5CimWZQEmj4Q3iGYVLBvWGEPLN/HIVDXNtCifkuqZO2uus6QD/MQaGm3vIZEvmyirBesBubyFGypafJzJbBnYYt+UVHVKOEBeV+NH8fEaiyyyDkDai6X6fRgSUADdFRG1XgYl29CiwecUMsBYVYQi7bZo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776873912; c=relaxed/simple; bh=VZEs0jCnFC8H/qkvnT27RK2A5MyzuOg0UJ8UJ0X/Bvk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=bSRMuO7ccR4M5q27ANnV/DSEE0JfMbLTOWAzW4rhrhflaWcRre1YZ2qA3syubbil/WyOh3jcKyN0b+f5jaaRfHWXFIzuH6YyvGfa1q0z+H7K7v4iPiQt5O2xa1ZfHG4XTZeeSeeEd3fRah99bDiFsSFQ9fdrCdy+K/QtZ+1JVcg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=e2GBCcGM; arc=none smtp.client-ip=74.125.82.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="e2GBCcGM" Received: by mail-dy1-f173.google.com with SMTP id 5a478bee46e88-2dee127b3c5so7293920eec.1 for ; Wed, 22 Apr 2026 09:05:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776873909; x=1777478709; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=8j25ZLlpELNU+5nioGRIXycqczMeWBKR/3eVX7cdAHw=; b=e2GBCcGMHG0QpPUpxaApWMuLj6PXzU2Wr+zxcpsv5Tux9S8rX5y1bZ96/W/DdWuW/2 t/wpLWZ/zdDBeft8QopKsqxISrZr5VQfy5n0k18dTxQHBLH4ZrBSIGJIwWm7PMgcRaUz +ekMujxNpYQKUqYMC+WSh7V9jBvTumc32I1vGHuez79FuPToRabuVOG4TW7WXn7p6A7t OPC9IIjTq+3AkUtz+S4/TS151Ia3goSbUBH50xT0vZRJWoSGzmoo29wILktPcm679Dcu 8IIV5lm5ARgbk4KJgpf3RpMG7fBxU5MA42L/U/8djFh3zNM+FelOynpxoPaEQrXGc9pn hYEg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776873909; x=1777478709; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=8j25ZLlpELNU+5nioGRIXycqczMeWBKR/3eVX7cdAHw=; b=WYu+NxaSlznmxnkCbJNNPbZCxjFwrfEOeeJVqRUxsvxCgcQs5GjfGGlKEjVsEokuGq UmcuP74lQ7FKegB8wpNsSM5KVib1IRZ1AweGOeDqVLm0cogHjQw0mHVaQfYgm4jDDZpc jL+taFm440cNh/ADbqA/PscNF0s1tuTNr6s0N+RMaARt8d0a4fCPnQIhewgQ6PBJ141j zINgVNV5jcNLJdoCe48KT5CLcJRQbmx+9SkrXWM3vbXpo73jw7mFvvkKcliymzlntm3e TXZ+Xq8Rry1nT5XCHk0bZhyzTbcBsq/Nv5ucBCUm++Jecs1Bd8a6wNy3OPX5SU0e2Sc8 1Ciw== X-Forwarded-Encrypted: i=1; AFNElJ9g0HvSehdhvJnra90Z3YTLpi+X70gh/2BFGrJMS2JsvKdXBJrtgKBaZCX3pxRiJemiDdSCo6nnkbynQO4=@vger.kernel.org X-Gm-Message-State: AOJu0Ywks+mPbIjgu5AMET/Z6X4V+GG9ptcex7/Q4siaPPgg17IFTw52 zbYp74upRS7YCfpLLeavLa/iA+0ZHsX1EEFOSGLlbqxI+22OAI5gQMgW X-Gm-Gg: AeBDietveMUJs7vEYjlaFFsXsGdyOl/OyQ0BLSNubRdcvKgvPGD9Ju4YyXUW2D3ZuzR agj0V4HTKauSR+fZN07gNY9qxyu5KlX4qrJep/Xm5Q4kic0lz0IByX1/ubtA23sl8EbcOwFFWIK azVoOtHfEd5Tha1ouV9kMYuAdyWABOZdXVQX+pROE4cLFJOO/fD27/brI5ox6mFCeb0GAiyq1p1 ZJ59WzlK6UzNeWed//WFDhDp9vVSMkWsBnA7ImE5rVwcwD8BDrTuJwVYdbvx0LSTQ3R/P/BsKPG 3sIN1NM0Pz4d8E4nzN4XoqEUGZyVmhq9RopTF6Oq/NlYEBpZRMsdEqrcQMlJcgDWlwyZ6xv56kq 3KKhRdQHQKHMflHH/ej1CkAQQIF0tW50mgOahG3daI6BSCD3tjXJUyS9GHUv6PhEnyuIxJS8szr FpfvZP6GQHhTbdBZp9NBWfaUikL1cc9PJ/dOzbV2sRg2ZOYwsSouRc/wF3knTq7YXAfOfcDxPQ0 CbeSy84Xn0AlvATnq7UsNBo+yCIDPY= X-Received: by 2002:a05:7300:d516:b0:2db:2089:460f with SMTP id 5a478bee46e88-2e478c1ee94mr12945274eec.19.1776873909017; Wed, 22 Apr 2026 09:05:09 -0700 (PDT) Received: from server0 (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-8b02ac462d9sm136370786d6.7.2026.04.22.09.05.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Apr 2026 09:05:08 -0700 (PDT) From: Michael Bommarito To: Samuel Mendoza-Jonas , Paul Fertser , netdev@vger.kernel.org Cc: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , linux-kernel@vger.kernel.org, Michael Bommarito , stable@vger.kernel.org Subject: [PATCH net 3/6] net/ncsi: validate GMCMA address counts against the payload Date: Wed, 22 Apr 2026 12:03:39 -0400 Message-ID: <20260422160342.1975093-4-michael.bommarito@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260422160342.1975093-1-michael.bommarito@gmail.com> References: <20260422160342.1975093-1-michael.bommarito@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Get MC MAC Address responses carry a flexible array of provisioned addresses, but the handler currently trusts address_count without first checking that the advertised payload actually contains that many MAC entries. Validate the fixed GMCMA fields plus checksum, then make sure the address_count fits in the remaining payload before the handler walks the address array. Fixes: b8291cf3d118 ("net/ncsi: Add NC-SI 1.2 Get MC MAC Address command") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Michael Bommarito --- net/ncsi/ncsi-rsp.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c index 47ddf2bbb13b..cbddb2012f90 100644 --- a/net/ncsi/ncsi-rsp.c +++ b/net/ncsi/ncsi-rsp.c @@ -40,6 +40,14 @@ static bool ncsi_filter_is_enabled(unsigned long enable,= unsigned int index, return index < nbits && (enable & BIT(index)); } =20 +static unsigned int ncsi_rsp_payload(struct sk_buff *skb) +{ + struct ncsi_rsp_pkt_hdr *h; + + h =3D (struct ncsi_rsp_pkt_hdr *)skb_network_header(skb); + return ntohs(h->common.length); +} + static int ncsi_validate_rsp_pkt(struct ncsi_request *nr, unsigned short payload) { @@ -1127,9 +1135,21 @@ static int ncsi_rsp_handler_gmcma(struct ncsi_reques= t *nr) struct sockaddr_storage *saddr =3D &ndp->pending_mac; struct net_device *ndev =3D ndp->ndev.dev; struct ncsi_rsp_gmcma_pkt *rsp; + unsigned int addr_bytes; + unsigned int payload; int i; =20 rsp =3D (struct ncsi_rsp_gmcma_pkt *)skb_network_header(nr->rsp); + payload =3D ncsi_rsp_payload(nr->rsp); + if (payload < sizeof(rsp->address_count) + sizeof(rsp->reserved) + + sizeof(__be32)) + return -EINVAL; + + addr_bytes =3D payload - sizeof(rsp->address_count) - + sizeof(rsp->reserved) - sizeof(__be32); + if (rsp->address_count > addr_bytes / ETH_ALEN) + return -EINVAL; + ndev->priv_flags |=3D IFF_LIVE_ADDR_CHANGE; =20 netdev_info(ndev, "NCSI: Received %d provisioned MAC addresses\n", --=20 2.53.0 From nobody Fri Jun 19 19:36:32 2026 Received: from mail-oi1-f177.google.com (mail-oi1-f177.google.com [209.85.167.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4639437F017 for ; Wed, 22 Apr 2026 16:05:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.177 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776873914; cv=none; b=E4FTTHGLiOiZyDGl/27NuT290501DYIClVlqOwjTj/qGuXSQZgqXdCn47xlkhoN7y0cvgqk74ThwOq1bndSHtUD/ElOTeDbrtfokx0jE7HLNpyznwR71ekpOtK28EP87Xsh4sbJ233RrM8amck/8Vf4ExaXMWp3UazcL+CAoWz8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776873914; c=relaxed/simple; bh=uAlx4dafLjCbZtYgu8t26fX22aBqr60jfKSmcDl60po=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=NLTqDNmA11T3biQ0IQGwFTtP4j1v8mVBzp+NmHfkx3YR32wyYWnfYcl6w88IpFwbz0AAZMzdtAv2qBCx8p3JCKDAZQXUfS67f3qDCFA8pFZ04CF6Vnx5egSh2GvUIclnZPoKeR2u4vf0Ce76POMNGn85uXw47qRYTqHK2Fhxp5o= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=KawzW3nL; arc=none smtp.client-ip=209.85.167.177 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="KawzW3nL" Received: by mail-oi1-f177.google.com with SMTP id 5614622812f47-479d85152c9so1267743b6e.2 for ; Wed, 22 Apr 2026 09:05:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776873910; x=1777478710; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=tiAHFmpgwZ9sP0RdkP+eyou4duGN1gqLDfVLn5KxFRw=; b=KawzW3nL/CcWmH+3MiPX5GWsbupvUNuArV8VZV1oCztlL0b8bB3mH/mJJfIEJkAvvv staPB2FJLdHNjlOxAIbcfT2uPvdCAXb+Ge+9mrgHUV1hJo/lBiCvHQAs6KYZ1Q4Rl++R bJ8fa7M3R6T+e6eMFlDXXFC3pZrWonGLg8Xe9DrDrfpj55CQ8bo4dlaStqtKvWMoMLQQ x3oQv2/juQXq7ch/RWvzhbMfNX15ztY/n7TSnPPn/HB697441i5xoFAQQ897hNL8FfiI gBiIfwYNf2Judc2/R++nzck7KQ3US71k8uuQOdDMDT6UEdFtPJJgjIIT9nUh7qXJnucC FYSw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776873910; x=1777478710; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=tiAHFmpgwZ9sP0RdkP+eyou4duGN1gqLDfVLn5KxFRw=; b=l3RBYSvhF98gchHmst/aZ5LDOwEoe8Kl638ueWkIuMtxlc+u3M1oXiVFpUYsjvYoxF e4SCaKP3uQJjZ+P9aKXisvj30LFFolXU/6+/mV8kVSkf90JQ9tgGWLb2OU3S2SP7Ka7q UXPEQ9mKIsEAr2c/MgTpdIRxWADAUbkc5EplcdbkAaSG9Oiq505vVDoaJGYm26AMHr2L mWZRlQwoTIv+ue5PT/olQe6muywEtnzAcBizYgOhqxHsWI8kFHWU4hxH+YkES0fuLTBx rzNeCVbYOIgn1OWqhORv4L2IJzMNW7siMrfamUQnchBXmipOOGCc61yzzHAWuAV8RUYC KZhg== X-Forwarded-Encrypted: i=1; AFNElJ+Rg7MoNI/fZE1zFbF+cDJM0BMEWeNWPfkPPO6JdC3svWkj+OoiPxXLcrQLXOsaVkKv4eNlKO8q36X5lcY=@vger.kernel.org X-Gm-Message-State: AOJu0YzJovEt/uB46E1iRoH+5VqXiNbyOQLqXlyti3Zs4ZMDDYvadcjD TYn8uDiCbFD+IKnXMjaTByO8iTRWJSyaTnMSCnkU7dfuG0wcUCdzkXs1DMbddeTS X-Gm-Gg: AeBDieui4FNhx6+ekkglCX+bHnltEdSqAv8IKMmaXnVyh+40U0x/RYDU94tw0qbMqDP uDSAbTiXZdcaKaXQ88atbhTOMwoy7ZFIZUq/nX1YhhvPzdqr5QZMocHxY0URpG327FB5aVn/e3g fjx9gVG7MkiXpke/Am/1KBnTMsCrwAogCo3++d8WYvgCBBPO3ye0dXEsWDYfnmBG9crGUhXO7zD 6DqYhtA+3bZHOF3uNOGFdjf7AsFRZrlS/2uHNE6BeTiPgduOsGG41oHsvMTFnFA5o1d1fddAS6z qtoDwz2KXV8SLmuzeV5WGD6UFPNdAufO7FMeHXrwov5sMN3DW6sbonIAAS7s4kTQ2QsOHHvz6XH MYq9JSqG5J/XLur+mhk6Qg5NBF7ylNG0gV8e8WNuA6s/3ui5ARt7H+WmAjS/qW+kbYhHFQ7qXx/ DwR9lZgp8ZClNKlY0ZwE7TntRCgUmPaw5CEWGPjs3DARChZ7AL0BGPA5nFlEM+sck7XphTLvjEv uZ8cctYkwTgBLivut6BnEabjUo25wmBzQFuJdAarw== X-Received: by 2002:a05:6808:2515:b0:467:4939:9656 with SMTP id 5614622812f47-4799cae4b0amr12727562b6e.37.1776873910445; Wed, 22 Apr 2026 09:05:10 -0700 (PDT) Received: from server0 (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-8b02ac462d9sm136370786d6.7.2026.04.22.09.05.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Apr 2026 09:05:09 -0700 (PDT) From: Michael Bommarito To: Samuel Mendoza-Jonas , Paul Fertser , netdev@vger.kernel.org Cc: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , linux-kernel@vger.kernel.org, Michael Bommarito , stable@vger.kernel.org Subject: [PATCH net 4/6] net/ncsi: validate OEM response payloads before parsing Date: Wed, 22 Apr 2026 12:03:40 -0400 Message-ID: <20260422160342.1975093-5-michael.bommarito@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260422160342.1975093-1-michael.bommarito@gmail.com> References: <20260422160342.1975093-1-michael.bommarito@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Reject truncated OEM responses before reading the manufacturer ID, vendor-specific subheaders, or vendor MAC address payloads. The OEM response dispatcher reads rsp->mfr_id without verifying that the skb contains the manufacturer field and checksum. The Mellanox, Broadcom, and Intel handlers then read their command-specific headers without checking that the payload is large enough for those fields. The shared GMA helper finally copies a MAC address from a manufacturer-specific offset without validating that the payload reaches that offset. Validate the advertised payload before each of those reads so malformed or truncated BMC responses are rejected before the parser touches data past the end of the skb. Fixes: fb4ee67529ff ("net/ncsi: Add NCSI OEM command support") Fixes: cb10c7c0dfd9 ("net/ncsi: Add NCSI Broadcom OEM command") Fixes: 16e8c4ca21a2 ("net/ncsi: Add NCSI Mellanox OEM command") Fixes: 205b95fe658d ("net/ncsi: add get MAC address command to get Intel i2= 10 MAC address") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Michael Bommarito --- net/ncsi/ncsi-rsp.c | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c index cbddb2012f90..94354dca23ea 100644 --- a/net/ncsi/ncsi-rsp.c +++ b/net/ncsi/ncsi-rsp.c @@ -656,6 +656,7 @@ static int ncsi_rsp_handler_oem_gma(struct ncsi_request= *nr, int mfr_id) struct net_device *ndev =3D ndp->ndev.dev; struct ncsi_rsp_oem_pkt *rsp; u32 mac_addr_off =3D 0; + unsigned int payload; =20 /* Get the response header */ rsp =3D (struct ncsi_rsp_oem_pkt *)skb_network_header(nr->rsp); @@ -668,6 +669,11 @@ static int ncsi_rsp_handler_oem_gma(struct ncsi_reques= t *nr, int mfr_id) else if (mfr_id =3D=3D NCSI_OEM_MFR_INTEL_ID) mac_addr_off =3D INTEL_MAC_ADDR_OFFSET; =20 + payload =3D ncsi_rsp_payload(nr->rsp); + if (payload < sizeof(rsp->mfr_id) + mac_addr_off + ETH_ALEN + + sizeof(__be32)) + return -EINVAL; + saddr->ss_family =3D ndev->type; memcpy(saddr->__data, &rsp->data[mac_addr_off], ETH_ALEN); if (mfr_id =3D=3D NCSI_OEM_MFR_BCM_ID || mfr_id =3D=3D NCSI_OEM_MFR_INTEL= _ID) @@ -686,9 +692,14 @@ static int ncsi_rsp_handler_oem_mlx(struct ncsi_reques= t *nr) { struct ncsi_rsp_oem_mlx_pkt *mlx; struct ncsi_rsp_oem_pkt *rsp; + unsigned int payload; =20 /* Get the response header */ rsp =3D (struct ncsi_rsp_oem_pkt *)skb_network_header(nr->rsp); + payload =3D ncsi_rsp_payload(nr->rsp); + if (payload < sizeof(rsp->mfr_id) + sizeof(*mlx) + sizeof(__be32)) + return -EINVAL; + mlx =3D (struct ncsi_rsp_oem_mlx_pkt *)(rsp->data); =20 if (mlx->cmd =3D=3D NCSI_OEM_MLX_CMD_GMA && @@ -702,9 +713,14 @@ static int ncsi_rsp_handler_oem_bcm(struct ncsi_reques= t *nr) { struct ncsi_rsp_oem_bcm_pkt *bcm; struct ncsi_rsp_oem_pkt *rsp; + unsigned int payload; =20 /* Get the response header */ rsp =3D (struct ncsi_rsp_oem_pkt *)skb_network_header(nr->rsp); + payload =3D ncsi_rsp_payload(nr->rsp); + if (payload < sizeof(rsp->mfr_id) + sizeof(*bcm) + sizeof(__be32)) + return -EINVAL; + bcm =3D (struct ncsi_rsp_oem_bcm_pkt *)(rsp->data); =20 if (bcm->type =3D=3D NCSI_OEM_BCM_CMD_GMA) @@ -717,9 +733,14 @@ static int ncsi_rsp_handler_oem_intel(struct ncsi_requ= est *nr) { struct ncsi_rsp_oem_intel_pkt *intel; struct ncsi_rsp_oem_pkt *rsp; + unsigned int payload; =20 /* Get the response header */ rsp =3D (struct ncsi_rsp_oem_pkt *)skb_network_header(nr->rsp); + payload =3D ncsi_rsp_payload(nr->rsp); + if (payload < sizeof(rsp->mfr_id) + sizeof(*intel) + sizeof(__be32)) + return -EINVAL; + intel =3D (struct ncsi_rsp_oem_intel_pkt *)(rsp->data); =20 if (intel->cmd =3D=3D NCSI_OEM_INTEL_CMD_GMA) @@ -742,10 +763,15 @@ static int ncsi_rsp_handler_oem(struct ncsi_request *= nr) { struct ncsi_rsp_oem_handler *nrh =3D NULL; struct ncsi_rsp_oem_pkt *rsp; + unsigned int payload; unsigned int mfr_id, i; =20 /* Get the response header */ rsp =3D (struct ncsi_rsp_oem_pkt *)skb_network_header(nr->rsp); + payload =3D ncsi_rsp_payload(nr->rsp); + if (payload < sizeof(rsp->mfr_id) + sizeof(__be32)) + return -EINVAL; + mfr_id =3D ntohl(rsp->mfr_id); =20 /* Check for manufacturer id and Find the handler */ --=20 2.53.0 From nobody Fri Jun 19 19:36:32 2026 Received: from mail-qv1-f45.google.com (mail-qv1-f45.google.com [209.85.219.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 66D7B3803DF for ; Wed, 22 Apr 2026 16:05:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.45 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776873915; cv=none; b=tBlw2RIuvZ2egnWMsTKULJEIWPqZqzY/IMfSlSqWU74ICM15aV0oPPtfYKcx4ZckUqcER8x/W26e1mRXieZT3LUNrc/9kPLvMp3zhS8WxQS+pi7ILCGo6uSwnGmqThO7pUp97BCKnZTDJ4Dfw+6dJkjnHhsHMDnh6jNPiZGX5r8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776873915; c=relaxed/simple; bh=LnV6FHxAgXBSU98uYpz/Gtz2yuXuM8OmPayVHm+bqYw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=l1ZxuNOa2FVbjyXua7QifdB/Z2px3QjTuLqRBl/SkP9wJzVkXYmMBMxvEqx1ZTV4jCSd6uwyVgWZ2dicqrAVyf6BgzpzAebxaS/zaiVYFuDT/bTNiGzqwi7a4NILrChn0m2rbFzV36XkiiS534+byfxPCvjg6bX2vqxPQliQ0m0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ksoZxaPK; arc=none smtp.client-ip=209.85.219.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ksoZxaPK" Received: by mail-qv1-f45.google.com with SMTP id 6a1803df08f44-8b038a00370so42225656d6.1 for ; Wed, 22 Apr 2026 09:05:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776873912; x=1777478712; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=9fLGOyiETc2mYukS8fgWyJY/y8XZRG6qnqK1xnE/hlo=; b=ksoZxaPK0i9uhrCCXmEHrrysq7VzKfrC+kBwj62+KvvfdWlAw4k9PU6jyDoezZXaK+ APCc6prNQDeuG/CXbb9iKEVsM/L76pS0gNZpOnQMidI9DrYCK8lQwFMaKVCyJ4spZkwl I9RJ+17UaRQ9wZRz1kDCw92Y2866qQwNZIYvFvbsEDIh8uqNJyxhSr4pQls0mEZUBY2z fGstz5zRSbJ1+eWKkIiKuilb5iU0hIudNLjckrJD9EySvm61MYlIJ2SP20UWPjAE9Noh QF6aGdStv5ChJXBoAr8NkUy/1sYeAQfz1nbreYhYhPaNkMJGYs4VSNq75T6ueKR4qIFL ADVQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776873912; x=1777478712; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=9fLGOyiETc2mYukS8fgWyJY/y8XZRG6qnqK1xnE/hlo=; b=j8Fi6o1dYP8BSk5rePtFQxNMDbZ9J5Mr8J1WO7/Ac908w54qmvkdu2I4RT/7uP/0jc 2P0ecxVMxJYHPRJ4cWwjFsoGmxl7kFyn9xGYPcoOKMe4mru2NcH66N5bPoH7vaLNgSax wZJi2jH3Wk3DM15LxUJiGzqNFcDYETSdJXcgKPbIWGTtPj6GlcVwR8q8+4bmY1x6eHSw OmpCcaxGnGZRMnLXPEibdxtcBI4QtgHOPvctsC7z2nkbDuChMyUEo+G4GXlW7iwC7FVi Oap1xyJP0YxZLkd+pvHrbcs2OgcVH7ph8Yc88Y1dUknL8qV0/W+XD0oobnXmo8JnRRSc v0IA== X-Forwarded-Encrypted: i=1; AFNElJ8nTVC3LvJRfEf+YNnhU1tUUXmxShaEZCk1CvFS7QCpBCwYkz53V98CLBL9oFW53Afs19pwcBj8pL2McS8=@vger.kernel.org X-Gm-Message-State: AOJu0Yzv1G6XN9H3jknALaXLkhu6rh6Wdz5IqwljCRwLnZpWHhPJlu7S 5bI/0Qkysb+LOKwGy1J8T5aZmKwc2dEC8a1Etub1aE0E6CzCulZtznFo X-Gm-Gg: AeBDiesAexXB3JI7AjBpxAf7/9UQzuOF+5dRucHxFq8503dUkmQ1fpiQG5xlJbwExEp vTHouzMcyhOfeZKrncxmePax/26X4CsnLCVEZyPOanDy5XU90xwzYzEbNLMEFeifccH/qxrySXs uPk5snAeeX+frBOo+zsGQTHE9cD5h3K0okHLjxic35WIKL12PnLi4fvR59jnwhtJ/rpFxDhy09h tzWmSoRuYxfOc+8cQoJSubYsVzSyutgkow/mPAKRjl8Ms8SCLgKFnfEHgNHAl7/EUlGHwuNFJwk 7A6rTCNJJtoEiK2vssCqEreYkolBM8/Q17IzQylEaWCnow8QJeN7EwSYwwMcCdjQJ2+IEZGeW63 U3yAAjH5zMBhJ+JB98qXMOcIYUd9/aV9jTYRbMRRL+Glz/gnpeIJFcPaWHaO/8EeHbElj4nDRgl x621pEUSKO+5hF6IFDeY4G/ZQCs6sxgeTtxSYGK5jLgB8M3RmT1EZsLfOSuoM1udv90daOXUgD4 kjM8ao3KajnBV595zGJ+emCbDKUYwqC6sz6d9as3Q== X-Received: by 2002:a05:6214:4f02:b0:8ae:652b:e3c4 with SMTP id 6a1803df08f44-8b028167396mr339665936d6.49.1776873912092; Wed, 22 Apr 2026 09:05:12 -0700 (PDT) Received: from server0 (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-8b02ac462d9sm136370786d6.7.2026.04.22.09.05.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Apr 2026 09:05:11 -0700 (PDT) From: Michael Bommarito To: Samuel Mendoza-Jonas , Paul Fertser , netdev@vger.kernel.org Cc: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , linux-kernel@vger.kernel.org, Michael Bommarito , stable@vger.kernel.org Subject: [PATCH net 5/6] net/ncsi: validate AEN packet lengths against the skb Date: Wed, 22 Apr 2026 12:03:41 -0400 Message-ID: <20260422160342.1975093-6-michael.bommarito@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260422160342.1975093-1-michael.bommarito@gmail.com> References: <20260422160342.1975093-1-michael.bommarito@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" AEN packets are dispatched after only pulling the 16-byte common header. ncsi_aen_handler() then reads the 20-byte AEN header to select a per-type handler, and ncsi_validate_aen_pkt() walks farther into the payload and checksum without first ensuring the skb contains those bytes. Pull the AEN-specific header before reading h->type, and pull the full AEN header plus aligned payload before checksum validation. That keeps short AEN packets from reading past the skb tail on the AEN path. Fixes: 2d283bdd079c ("net/ncsi: Resource management") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Michael Bommarito --- net/ncsi/ncsi-aen.c | 30 +++++++++++++++++++++++------- 1 file changed, 23 insertions(+), 7 deletions(-) diff --git a/net/ncsi/ncsi-aen.c b/net/ncsi/ncsi-aen.c index 040a31557201..cd34ef144cf8 100644 --- a/net/ncsi/ncsi-aen.c +++ b/net/ncsi/ncsi-aen.c @@ -16,11 +16,19 @@ #include "internal.h" #include "ncsi-pkt.h" =20 -static int ncsi_validate_aen_pkt(struct ncsi_aen_pkt_hdr *h, +static int ncsi_validate_aen_pkt(struct sk_buff *skb, const unsigned short payload) { + struct ncsi_aen_pkt_hdr *h; u32 checksum; __be32 *pchecksum; + unsigned int len; + + len =3D skb_network_offset(skb) + sizeof(*h) + ALIGN(payload, 4); + if (!pskb_may_pull(skb, len)) + return -EINVAL; + + h =3D (struct ncsi_aen_pkt_hdr *)skb_network_header(skb); =20 if (h->common.revision !=3D NCSI_PKT_REVISION) return -EINVAL; @@ -31,7 +39,7 @@ static int ncsi_validate_aen_pkt(struct ncsi_aen_pkt_hdr = *h, * sender doesn't support checksum according to NCSI * specification. */ - pchecksum =3D (__be32 *)((void *)(h + 1) + payload - 4); + pchecksum =3D (__be32 *)((void *)(h + 1) + ALIGN(payload, 4) - 4); if (ntohl(*pchecksum) =3D=3D 0) return 0; =20 @@ -210,12 +218,19 @@ int ncsi_aen_handler(struct ncsi_dev_priv *ndp, struc= t sk_buff *skb) { struct ncsi_aen_pkt_hdr *h; struct ncsi_aen_handler *nah =3D NULL; + unsigned char type; int i, ret; =20 + if (!pskb_may_pull(skb, skb_network_offset(skb) + sizeof(*h))) { + ret =3D -EINVAL; + goto out; + } + /* Find the handler */ h =3D (struct ncsi_aen_pkt_hdr *)skb_network_header(skb); + type =3D h->type; for (i =3D 0; i < ARRAY_SIZE(ncsi_aen_handlers); i++) { - if (ncsi_aen_handlers[i].type =3D=3D h->type) { + if (ncsi_aen_handlers[i].type =3D=3D type) { nah =3D &ncsi_aen_handlers[i]; break; } @@ -223,24 +238,25 @@ int ncsi_aen_handler(struct ncsi_dev_priv *ndp, struc= t sk_buff *skb) =20 if (!nah) { netdev_warn(ndp->ndev.dev, "Invalid AEN (0x%x) received\n", - h->type); + type); ret =3D -ENOENT; goto out; } =20 - ret =3D ncsi_validate_aen_pkt(h, nah->payload); + ret =3D ncsi_validate_aen_pkt(skb, nah->payload); if (ret) { netdev_warn(ndp->ndev.dev, "NCSI: 'bad' packet ignored for AEN type 0x%x\n", - h->type); + type); goto out; } =20 + h =3D (struct ncsi_aen_pkt_hdr *)skb_network_header(skb); ret =3D nah->handler(ndp, h); if (ret) netdev_err(ndp->ndev.dev, "NCSI: Handler for AEN type 0x%x returned %d\n", - h->type, ret); + type, ret); out: consume_skb(skb); return ret; --=20 2.53.0 From nobody Fri Jun 19 19:36:32 2026 Received: from mail-qv1-f45.google.com (mail-qv1-f45.google.com [209.85.219.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DD268273D77 for ; Wed, 22 Apr 2026 16:05:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.45 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776873916; cv=none; b=qi+myp2T1FDeFsZvF0eQiTSKdbk8AXDWBF5+thXw8+ZapWCjPSlfyRnDyQtcTJIxKfnEdMss6zofk0CAgEC9wj2tvYDX6HQOsvbKfdYgIkj5AfSNVoc14lAYsSOsTm4408dnsChHWk2oXEpaQKtS9GHT+E5vGImdDZhctWOwkhY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776873916; c=relaxed/simple; bh=AtnVryVx9lrXSxBtUvHjd0g9UDr19+73eoU6BB1Ndsw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=hEoeNUn1Dt1mAFIZFLtB8CYQ2ClqWHdvyQKJT8LZRdvWEWn9mKrWrBk2TVwDHoxWvooy8RGFdV2ay2OcKrFvcd9KFyZ4FeYRCPaxRj+spWMKLK4i5ObzBoB9NQYt9Fx7EqIgyAGbWgsmaPJAikNSc+MATUfKID0M2PzxP8MbdJI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=aLdUHqnY; arc=none smtp.client-ip=209.85.219.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="aLdUHqnY" Received: by mail-qv1-f45.google.com with SMTP id 6a1803df08f44-899d6b7b073so59233106d6.2 for ; Wed, 22 Apr 2026 09:05:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776873914; x=1777478714; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=LAsi8zUH7ChWQsvBus194I1lIQB9uLlb+xLBIearhJU=; b=aLdUHqnYoPmjaVv77TbajnV64t+k67UNr+/eSkA92z9mGge6w60zePtKDJkemqRBsz FaVj66iKYrFVWCzc6tdvGP7B2rP8/HuwDJ3k9OzI9MSpzlVC2j5b11vxwafuoBxVDH+E yvMKawCmuFVOsH0UJLDMl7KpdhvB+RuKlI5QaIRI1f62Y3/bHY8+VBH+dzvSgry/16mS sA8OsDIwRjx3wuDwP2MjoT9djMOdoThLtP0vLcYRoe+0Nb0FTObW2JNX9dtr3sap3Qsh wkOqM+0Bb4lwdehyaWuYGU4l8/alXO1vapd9/7+hbxe9JAQ+neL6XbHsiMFvSDxhUxhn X9TQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776873914; x=1777478714; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=LAsi8zUH7ChWQsvBus194I1lIQB9uLlb+xLBIearhJU=; b=m1cG+mz0hA8dHL3Yemko8EcQtEacAWneQUxumX/iRNwN33yct3Fht352Qf60/pFsde l78fZQJ3Sv0I2TLq2JVBBsVIHjYuNL1bYyw5R/UwcGTeq3+WDuj6+fRjN6b1KsuOr3WQ dxOtqjK/tlAtBdUUOyE5vsYKTfGojYmGexuZpqSnvBTeYd+7qP3mG/xtrVAX+zLXPEhw 3FFeHvgsRQw+dRhjOfYlNPi8OMoriaXT1qBF+Q1XNBkXudveNJH6qTT05GfMV6n8j2RJ ya3L6+dI1ym8G0kATKVfDbLT0nxZtlEv8qB6iAi0v5tiVfKmgck2C0LFgSxLI1mfJdX2 AQuQ== X-Forwarded-Encrypted: i=1; AFNElJ+o95AR8ufKakWHSHlYthJwShvsTb0Eb46tFDqC62dPwQuHHUZEm1dZPaJd3d60BF1dgQ3wurcktJE4KVw=@vger.kernel.org X-Gm-Message-State: AOJu0Ywi37FwhVWLTha+0OojNwAiXRkvEEe1s4HGYhQtq1Gqjat4YMjw m+QDvi74LKzhV8akibsrdsgy4R7zvOHfltBqUOnD+wY902klqqrdu0BC X-Gm-Gg: AeBDieuQzfiAzV2sYonBc9EG8GuI6QV2we1f6L3bRvD/XHG7FRtSqj2SfmMQAbTtQuA MZRDXJ4amnkcvpOLxNjtSMRT8PSE6Wy+M4c58qR58so3IoSxmy9g8DzGgAA1KrS32ax3ZenAHHf zcQP4X6B66AqWTVEAUqv+2rveLStwY1cJXrQDwIlCB/j00i8Pu5rQ1je/dhW8z/GEwrPHWB3yb0 xguOemtqI4fQclFngwa8xSdEsYeW0JUJa5PP0ZZ24YGk35VDLpDspZEMTqrW8V4Asq4xE9cVseW P/lFWt+RJlkVyL6v7aKgniOMWJmplxwnkdFGrsX1u8sPMcXO7TH/MbWilkH6TXYXYu5Zs/tXj+U 9EyuiwLH7Vf+9VMZl5TWAPQuxUJeC5B4bZJa7pG6Ure+YGVBSdZVokqSUs3X8PtcXp50QXP+ttC aezQs0YedRwr2vbQC0zYQ0Mop5mkRB3Q6Imhhg1bI//PTAP1wIREBeVr1d8MlZ3VoRfOoYU4sp+ j6iTXcIfA6oTOWOCer0a7B80Wf2uaw= X-Received: by 2002:a05:6214:400a:b0:8a0:846e:8850 with SMTP id 6a1803df08f44-8b028042ba3mr348401516d6.20.1776873913609; Wed, 22 Apr 2026 09:05:13 -0700 (PDT) Received: from server0 (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-8b02ac462d9sm136370786d6.7.2026.04.22.09.05.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Apr 2026 09:05:12 -0700 (PDT) From: Michael Bommarito To: Samuel Mendoza-Jonas , Paul Fertser , netdev@vger.kernel.org Cc: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , linux-kernel@vger.kernel.org, Michael Bommarito , stable@vger.kernel.org Subject: [PATCH net 6/6] net/ncsi: validate GP payload lengths before parsing Date: Wed, 22 Apr 2026 12:03:42 -0400 Message-ID: <20260422160342.1975093-7-michael.bommarito@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260422160342.1975093-1-michael.bommarito@gmail.com> References: <20260422160342.1975093-1-michael.bommarito@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" ncsi_rsp_handler_gp() now bounds MAC and VLAN counts to software and GC-reported limits, but it still assumes the advertised GP payload is large enough for the fixed fields plus the consumed filter-table bytes. A short GP reply can still make parsing start past the payload or walk beyond its tail. Validate that the declared GP payload covers the fixed GP prefix, the consumed MAC and VLAN entries, and the checksum before parsing the filter tables. Fixes: 062b3e1b6d4f ("net/ncsi: Refactor MAC, VLAN filters") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Michael Bommarito --- net/ncsi/ncsi-rsp.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c index 94354dca23ea..565d38fd4b92 100644 --- a/net/ncsi/ncsi-rsp.c +++ b/net/ncsi/ncsi-rsp.c @@ -899,6 +899,8 @@ static int ncsi_rsp_handler_gp(struct ncsi_request *nr) struct ncsi_dev_priv *ndp =3D nr->ndp; struct ncsi_rsp_gp_pkt *rsp; struct ncsi_channel *nc; + size_t needed; + unsigned int payload; unsigned short enable; unsigned char *pdata; unsigned long flags; @@ -924,6 +926,14 @@ static int ncsi_rsp_handler_gp(struct ncsi_request *nr) if (rsp->mac_cnt > mac_nbits || rsp->vlan_cnt > ncvf->n_vids) return -ERANGE; =20 + payload =3D ncsi_rsp_payload(nr->rsp); + needed =3D offsetof(struct ncsi_rsp_gp_pkt, mac) - sizeof(rsp->rsp); + needed +=3D mac_cnt * ETH_ALEN; + needed +=3D vlan_cnt * sizeof(__be16); + needed +=3D sizeof(rsp->checksum); + if (payload < needed) + return -EINVAL; + /* Modes with explicit enabled indications */ if (ntohl(rsp->valid_modes) & 0x1) { /* BC filter mode */ nc->modes[NCSI_MODE_BC].enable =3D 1; --=20 2.53.0