sfxge(4): fix potential buffer overflow in Tx queue init

Improve error checking to avoid a caller overflowing the MCDI request buffer if the requested TXQ size was excessively large. Submitted by: Andy Moreton <amoreton at solarflare.com> Sponsored by: Solarflare Communications, Inc. MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D18067
2018-11-23 07:50:22 +00:00 · 2018-11-23 07:50:22 +00:00 · 871a40bad0
commit 871a40bad0
parent 54070c13c2
1 changed files with 1 additions and 1 deletions
--- a/sys/dev/sfxge/common/ef10_tx.c
+++ b/sys/dev/sfxge/common/ef10_tx.c
@ -70,7 +70,7 @@ efx_mcdi_init_txq(
 	    EFX_TXQ_NBUFS(enp->en_nic_cfg.enc_txq_max_ndescs));

 	npages = EFX_TXQ_NBUFS(size);
-	if (npages > MC_CMD_INIT_TXQ_IN_DMA_ADDR_MAXNUM) {
+	if (MC_CMD_INIT_TXQ_IN_LEN(npages) > sizeof (payload)) {
 		rc = EINVAL;
 		goto fail1;
 	}