diff options
| author |   Jakub Kicinski <kuba@kernel.org> | 2026-05-22 16:13:11 -0700 |
|---|---|---|
| committer | Jakub Kicinski <kuba@kernel.org> | 2026-05-26 08:19:33 -0700 |
| commit | 12c2496a71f82f63617971ca9b730dffa05cf58b (patch) | |
| tree | e443df210e5d2e8b311e285022e6864452faba18 /include/linux/amba/ssh:/git@git.zx2c4.com | |
| parent | ethtool: cmis: fix u16-to-u8 truncation of msleep_pre_rpl (diff) | |
ethtool: cmis: validate start_cmd_payload_size from module
The CMIS firmware update code reads start_cmd_payload_size from
the module's FW Management Features CDB reply and uses it directly
as the byte count for memcpy. The destination buffer is 112 bytes
(ETHTOOL_CMIS_CDB_LPL_MAX_PL_LENGTH - 8). So a malicious
module (or corrupted response) can cause a OOB write later on in
cmis_fw_update_start_download().
Let's error out. If modules that expect longer LPL writes actually
exist we should revisit.
struct cmis_cdb_start_fw_download_pl's definition has to move,
no change there.
Fixes: c4f78134d45c ("ethtool: cmis_fw_update: add a layer for supporting firmware update using CDB")
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Reviewed-by: Danielle Ratson <danieller@nvidia.com>
Link: https://patch.msgid.link/20260522231312.1710836-9-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'include/linux/amba/ssh:/git@git.zx2c4.com')
0 files changed, 0 insertions, 0 deletions