aboutsummaryrefslogtreecommitdiff
path: root/sys/dev/sfxge/common/efx_lic.c
diff options
context:
space:
mode:
authorAndrew Rybchenko <arybchik@FreeBSD.org>2018-11-30 07:05:36 +0000
committerAndrew Rybchenko <arybchik@FreeBSD.org>2018-11-30 07:05:36 +0000
commit315bbbaa7c56b21ce3bd2d944ed50442ab13120b (patch)
tree6f1bf9239e7f872d61e747ce5594ae1ddb2861a8 /sys/dev/sfxge/common/efx_lic.c
parent5037810f7e46272812a8521397e47190dec308ee (diff)
downloadsrc-315bbbaa7c56b21ce3bd2d944ed50442ab13120b.tar.gz
src-315bbbaa7c56b21ce3bd2d944ed50442ab13120b.zip
sfxge(4): fix out of bounds read when dereferencing sdup
Introduce and use macro to make sure that MCDI buffers allocated on stack are rounded up properly. Submitted by: Gautam Dawar <gdawar at solarflare.com> Sponsored by: Solarflare Communications, Inc. MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D18259
Notes
Notes: svn path=/head/; revision=341297
Diffstat (limited to 'sys/dev/sfxge/common/efx_lic.c')
-rw-r--r--sys/dev/sfxge/common/efx_lic.c39
1 files changed, 15 insertions, 24 deletions
diff --git a/sys/dev/sfxge/common/efx_lic.c b/sys/dev/sfxge/common/efx_lic.c
index d09d6b24c90c..0099afba7373 100644
--- a/sys/dev/sfxge/common/efx_lic.c
+++ b/sys/dev/sfxge/common/efx_lic.c
@@ -328,12 +328,11 @@ efx_mcdi_fc_license_update_license(
__in efx_nic_t *enp)
{
efx_mcdi_req_t req;
- uint8_t payload[MC_CMD_FC_IN_LICENSE_LEN];
+ EFX_MCDI_DECLARE_BUF(payload, MC_CMD_FC_IN_LICENSE_LEN, 0);
efx_rc_t rc;
EFSYS_ASSERT(enp->en_family == EFX_FAMILY_SIENA);
- (void) memset(payload, 0, sizeof (payload));
req.emr_cmd = MC_CMD_FC;
req.emr_in_buf = payload;
req.emr_in_length = MC_CMD_FC_IN_LICENSE_LEN;
@@ -374,13 +373,12 @@ efx_mcdi_fc_license_get_key_stats(
__out efx_key_stats_t *eksp)
{
efx_mcdi_req_t req;
- uint8_t payload[MAX(MC_CMD_FC_IN_LICENSE_LEN,
- MC_CMD_FC_OUT_LICENSE_LEN)];
+ EFX_MCDI_DECLARE_BUF(payload, MC_CMD_FC_IN_LICENSE_LEN,
+ MC_CMD_FC_OUT_LICENSE_LEN);
efx_rc_t rc;
EFSYS_ASSERT(enp->en_family == EFX_FAMILY_SIENA);
- (void) memset(payload, 0, sizeof (payload));
req.emr_cmd = MC_CMD_FC;
req.emr_in_buf = payload;
req.emr_in_length = MC_CMD_FC_IN_LICENSE_LEN;
@@ -690,8 +688,8 @@ efx_mcdi_licensed_app_state(
__out boolean_t *licensedp)
{
efx_mcdi_req_t req;
- uint8_t payload[MAX(MC_CMD_GET_LICENSED_APP_STATE_IN_LEN,
- MC_CMD_GET_LICENSED_APP_STATE_OUT_LEN)];
+ EFX_MCDI_DECLARE_BUF(payload, MC_CMD_GET_LICENSED_APP_STATE_IN_LEN,
+ MC_CMD_GET_LICENSED_APP_STATE_OUT_LEN);
uint32_t app_state;
efx_rc_t rc;
@@ -703,7 +701,6 @@ efx_mcdi_licensed_app_state(
goto fail1;
}
- (void) memset(payload, 0, sizeof (payload));
req.emr_cmd = MC_CMD_GET_LICENSED_APP_STATE;
req.emr_in_buf = payload;
req.emr_in_length = MC_CMD_GET_LICENSED_APP_STATE_IN_LEN;
@@ -749,12 +746,11 @@ efx_mcdi_licensing_update_licenses(
__in efx_nic_t *enp)
{
efx_mcdi_req_t req;
- uint8_t payload[MC_CMD_LICENSING_IN_LEN];
+ EFX_MCDI_DECLARE_BUF(payload, MC_CMD_LICENSING_IN_LEN, 0);
efx_rc_t rc;
EFSYS_ASSERT(enp->en_family == EFX_FAMILY_HUNTINGTON);
- (void) memset(payload, 0, sizeof (payload));
req.emr_cmd = MC_CMD_LICENSING;
req.emr_in_buf = payload;
req.emr_in_length = MC_CMD_LICENSING_IN_LEN;
@@ -792,13 +788,12 @@ efx_mcdi_licensing_get_key_stats(
__out efx_key_stats_t *eksp)
{
efx_mcdi_req_t req;
- uint8_t payload[MAX(MC_CMD_LICENSING_IN_LEN,
- MC_CMD_LICENSING_OUT_LEN)];
+ EFX_MCDI_DECLARE_BUF(payload, MC_CMD_LICENSING_IN_LEN,
+ MC_CMD_LICENSING_OUT_LEN);
efx_rc_t rc;
EFSYS_ASSERT(enp->en_family == EFX_FAMILY_HUNTINGTON);
- (void) memset(payload, 0, sizeof (payload));
req.emr_cmd = MC_CMD_LICENSING;
req.emr_in_buf = payload;
req.emr_in_length = MC_CMD_LICENSING_IN_LEN;
@@ -856,13 +851,12 @@ efx_mcdi_licensing_v3_update_licenses(
__in efx_nic_t *enp)
{
efx_mcdi_req_t req;
- uint8_t payload[MC_CMD_LICENSING_V3_IN_LEN];
+ EFX_MCDI_DECLARE_BUF(payload, MC_CMD_LICENSING_V3_IN_LEN, 0);
efx_rc_t rc;
EFSYS_ASSERT((enp->en_family == EFX_FAMILY_MEDFORD) ||
(enp->en_family == EFX_FAMILY_MEDFORD2));
- (void) memset(payload, 0, sizeof (payload));
req.emr_cmd = MC_CMD_LICENSING_V3;
req.emr_in_buf = payload;
req.emr_in_length = MC_CMD_LICENSING_V3_IN_LEN;
@@ -893,14 +887,13 @@ efx_mcdi_licensing_v3_report_license(
__out efx_key_stats_t *eksp)
{
efx_mcdi_req_t req;
- uint8_t payload[MAX(MC_CMD_LICENSING_V3_IN_LEN,
- MC_CMD_LICENSING_V3_OUT_LEN)];
+ EFX_MCDI_DECLARE_BUF(payload, MC_CMD_LICENSING_V3_IN_LEN,
+ MC_CMD_LICENSING_V3_OUT_LEN);
efx_rc_t rc;
EFSYS_ASSERT((enp->en_family == EFX_FAMILY_MEDFORD) ||
(enp->en_family == EFX_FAMILY_MEDFORD2));
- (void) memset(payload, 0, sizeof (payload));
req.emr_cmd = MC_CMD_LICENSING_V3;
req.emr_in_buf = payload;
req.emr_in_length = MC_CMD_LICENSING_V3_IN_LEN;
@@ -957,15 +950,14 @@ efx_mcdi_licensing_v3_app_state(
__out boolean_t *licensedp)
{
efx_mcdi_req_t req;
- uint8_t payload[MAX(MC_CMD_GET_LICENSED_V3_APP_STATE_IN_LEN,
- MC_CMD_GET_LICENSED_V3_APP_STATE_OUT_LEN)];
+ EFX_MCDI_DECLARE_BUF(payload, MC_CMD_GET_LICENSED_V3_APP_STATE_IN_LEN,
+ MC_CMD_GET_LICENSED_V3_APP_STATE_OUT_LEN);
uint32_t app_state;
efx_rc_t rc;
EFSYS_ASSERT((enp->en_family == EFX_FAMILY_MEDFORD) ||
(enp->en_family == EFX_FAMILY_MEDFORD2));
- (void) memset(payload, 0, sizeof (payload));
req.emr_cmd = MC_CMD_GET_LICENSED_V3_APP_STATE;
req.emr_in_buf = payload;
req.emr_in_length = MC_CMD_GET_LICENSED_V3_APP_STATE_IN_LEN;
@@ -1017,8 +1009,8 @@ efx_mcdi_licensing_v3_get_id(
uint8_t *bufferp)
{
efx_mcdi_req_t req;
- uint8_t payload[MAX(MC_CMD_LICENSING_GET_ID_V3_IN_LEN,
- MC_CMD_LICENSING_GET_ID_V3_OUT_LENMIN)];
+ EFX_MCDI_DECLARE_BUF(payload, MC_CMD_LICENSING_GET_ID_V3_IN_LEN,
+ MC_CMD_LICENSING_GET_ID_V3_OUT_LENMIN);
efx_rc_t rc;
req.emr_cmd = MC_CMD_LICENSING_GET_ID_V3;
@@ -1029,7 +1021,6 @@ efx_mcdi_licensing_v3_get_id(
req.emr_in_length = MC_CMD_LICENSING_GET_ID_V3_IN_LEN;
req.emr_out_buf = bufferp;
req.emr_out_length = MC_CMD_LICENSING_GET_ID_V3_OUT_LENMIN;
- (void) memset(payload, 0, sizeof (payload));
} else {
/* Request full buffer */
req.emr_in_buf = bufferp;