igbvf: integer wrapping bug setting the mtu
If new_mtu is very large then "new_mtu + ETH_HLEN + ETH_FCS_LEN" can wrap and the check on the next line can underflow. This is one of those bugs which can be triggered by the user if you have namespaces configured. Also since this is something the user can trigger then we don't want to have dev_err() message. This is a static checker fix and I'm not sure what the impact is. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Tested-by: Aaron Brown <aaron.f.brown@intel.com> Tested-by: Sibai Li Sibai.li@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
This commit is contained in:
Dan Carpenter
Jeff Kirsher
parent
b45bd46dec
commit
3de9e65f01
|
|
@ -2343,10 +2343,9 @@ static int igbvf_change_mtu(struct net_device *netdev, int new_mtu)
|
|||
struct igbvf_adapter *adapter = netdev_priv(netdev);
|
||||
int max_frame = new_mtu + ETH_HLEN + ETH_FCS_LEN;
|
||||
|
||||
if ((new_mtu < 68) || (max_frame > MAX_JUMBO_FRAME_SIZE)) {
|
||||
dev_err(&adapter->pdev->dev, "Invalid MTU setting\n");
|
||||
if (new_mtu < 68 || new_mtu > INT_MAX - ETH_HLEN - ETH_FCS_LEN ||
|
||||
max_frame > MAX_JUMBO_FRAME_SIZE)
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
#define MAX_STD_JUMBO_FRAME_SIZE 9234
|
||||
if (max_frame > MAX_STD_JUMBO_FRAME_SIZE) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue