hv_netvsc: Validate number of allocated sub-channels

Lack of validation could lead to out-of-bound reads and information
leaks (cf. usage of nvdev->chan_table[]).  Check that the number of
allocated sub-channels fits into the expected range.

Suggested-by: Saruhan Karademir <skarade@microsoft.com>
Signed-off-by: Andrea Parri (Microsoft) <parri.andrea@gmail.com>
Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
Acked-by: Jakub Kicinski <kuba@kernel.org>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: netdev@vger.kernel.org
Link: https://lore.kernel.org/r/20201118153310.112404-1-parri.andrea@gmail.com
Signed-off-by: Wei Liu <wei.liu@kernel.org>

diff --git a/drivers/net/hyperv/rndis_filter.c b/drivers/net/hyperv/rndis_filter.c
index 6ae43319ece68f73f910c7cb2de185badd05e77d..9a51fa3003a8ea761c90a192b21ee430869cbb84 100644 (file)
--- a/drivers/net/hyperv/rndis_filter.c
+++ b/drivers/net/hyperv/rndis_filter.c
@@ -1224,6 +1224,11 @@ int rndis_set_subchannel(struct net_device *ndev,
                return -EIO;
        }
 
+       /* Check that number of allocated sub channel is within the expected range */
+       if (init_packet->msg.v5_msg.subchn_comp.num_subchannels > nvdev->num_chn - 1) {
+               netdev_err(ndev, "invalid number of allocated sub channel\n");
+               return -EINVAL;
+       }
        nvdev->num_chn = 1 +
                init_packet->msg.v5_msg.subchn_comp.num_subchannels;