e1000e: fix heap overflow in e1000_set_eeprom

Fix a possible heap overflow in e1000_set_eeprom function by adding
input validation for the requested length of the change in the EEPROM.
In addition, change the variable type from int to size_t for better
code practices and rearrange declarations to RCT.

Cc: stable@vger.kernel.org
Fixes: bc7f75fa9788 ("[E1000E]: New pci-express e1000 driver (currently for ICH9 devices only)")
Co-developed-by: Mikael Wessel <post@mikaelkw.online>
Signed-off-by: Mikael Wessel <post@mikaelkw.online>
Signed-off-by: Vitaly Lifshits <vitaly.lifshits@intel.com>
Tested-by: Mor Bar-Gabay <morx.bar.gabay@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>

diff --git a/drivers/net/ethernet/intel/e1000e/ethtool.c b/drivers/net/ethernet/intel/e1000e/ethtool.c
index c0bbb12eed2e97bbc768e62d00493592ced12092..cf01a108a5bb2136343a80d7621e7375cd578d6d 100644 (file)
--- a/drivers/net/ethernet/intel/e1000e/ethtool.c
+++ b/drivers/net/ethernet/intel/e1000e/ethtool.c
@@ -549,12 +549,12 @@ static int e1000_set_eeprom(struct net_device *netdev,
 {
        struct e1000_adapter *adapter = netdev_priv(netdev);
        struct e1000_hw *hw = &adapter->hw;
+       size_t total_len, max_len;
        u16 *eeprom_buff;
-       void *ptr;
-       int max_len;
+       int ret_val = 0;
        int first_word;
        int last_word;
-       int ret_val = 0;
+       void *ptr;
        u16 i;
 
        if (eeprom->len == 0)
@@ -569,6 +569,10 @@ static int e1000_set_eeprom(struct net_device *netdev,
 
        max_len = hw->nvm.word_size * 2;
 
+       if (check_add_overflow(eeprom->offset, eeprom->len, &total_len) ||
+           total_len > max_len)
+               return -EFBIG;
+
        first_word = eeprom->offset >> 1;
        last_word = (eeprom->offset + eeprom->len - 1) >> 1;
        eeprom_buff = kmalloc(max_len, GFP_KERNEL);