nfp: bpf: prevent integer overflow in nfp_bpf_event_output()

The "sizeof(struct cmsg_bpf_event) + pkt_size + data_size" math could
potentially have an integer wrapping bug on 32bit systems.  Check for
this and return an error.

Fixes: 9816dd35ecec ("nfp: bpf: perf event output helpers support")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://patch.msgid.link/6074805b-e78d-4b8a-bf05-e929b5377c28@stanley.mountain
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/drivers/net/ethernet/netronome/nfp/bpf/offload.c b/drivers/net/ethernet/netronome/nfp/bpf/offload.c
index 9d97cd281f18e4d055d8b95233b8e4566f051a7b..c03558adda91ebfd741526edd0159578faf5f51e 100644 (file)
--- a/drivers/net/ethernet/netronome/nfp/bpf/offload.c
+++ b/drivers/net/ethernet/netronome/nfp/bpf/offload.c
@@ -458,7 +458,8 @@ int nfp_bpf_event_output(struct nfp_app_bpf *bpf, const void *data,
        map_id_full = be64_to_cpu(cbe->map_ptr);
        map_id = map_id_full;
 
-       if (len < sizeof(struct cmsg_bpf_event) + pkt_size + data_size)
+       if (size_add(pkt_size, data_size) > INT_MAX ||
+           len < sizeof(struct cmsg_bpf_event) + pkt_size + data_size)
                return -EINVAL;
        if (cbe->hdr.ver != NFP_CCM_ABI_VERSION)
                return -EINVAL;