bnxt_hwrm_func_backing_store_qcaps_v2() trusts resp->type from the firmware response and stores it in ctxm->type. That value is later used to index fixed backing-store metadata arrays such as ctx_arr[] and bnxt_bstore_to_trace[] without a local range check. Validate the returned type before storing it and abort the query when firmware reports a type outside BNXT_CTX_V2_MAX. This keeps the fix at the point where the untrusted value enters driver state. Signed-off-by: Pengpeng Hou --- v2: - add commit message context and fix rationale - no code changes drivers/net/ethernet/broadcom/bnxt/bnxt.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c index 0751c0e4581a..d0446f851d66 100644 --- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c +++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c @@ -8692,6 +8692,7 @@ static int bnxt_hwrm_func_backing_store_qcaps_v2(struct bnxt *bp) u8 init_val, init_off, i; u32 max_entries; u16 entry_size; + u16 resp_type; __le32 *p; u32 flags; @@ -8715,7 +8716,15 @@ static int bnxt_hwrm_func_backing_store_qcaps_v2(struct bnxt *bp) else continue; } - ctxm->type = le16_to_cpu(resp->type); + resp_type = le16_to_cpu(resp->type); + if (resp_type >= BNXT_CTX_V2_MAX) { + netdev_warn(bp->dev, + "invalid backing store type %u returned by firmware\n", + resp_type); + rc = -EINVAL; + goto ctx_done; + } + ctxm->type = resp_type; ctxm->entry_size = entry_size; ctxm->flags = flags; ctxm->instance_bmap = le32_to_cpu(resp->instance_bit_map); -- 2.50.1 (Apple Git-155)