On Wed, Feb 05, 2025 at 02:11:48PM +0100, Peter Seiderer wrote:
> Fix mpls maximum labels list parsing up to MAX_MPLS_LABELS/16 entries
> (instead of up to MAX_MPLS_LABELS - 1).
>
> Fixes:
"Fixes: " has a special meaning, it is recognised as a tag by tooling, and
implies a bug fix. Please consider some other way of describing this, e.g.
Addresses the following:
>
> $ echo "mpls 00000f00,00000f01,00000f02,00000f03,00000f04,00000f05,00000f06,00000f07,00000f08,00000f09,00000f0a,00000f0b,00000f0c,00000f0d,00000f0e,00000f0f" > /proc/net/pktgen/lo\@0
> -bash: echo: write error: Argument list too long
>
> Signed-off-by: Peter Seiderer <ps.report@xxxxxxx>
> ---
> Changes v3 -> v4
> - new patch (factored out of patch 'net: pktgen: fix access outside of user
> given buffer in pktgen_if_write()')
> ---
> net/core/pktgen.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/net/core/pktgen.c b/net/core/pktgen.c
> index 84fd88e48275..0fd15f21119b 100644
> --- a/net/core/pktgen.c
> +++ b/net/core/pktgen.c
> @@ -908,6 +908,10 @@ static int get_labels(const char __user *buffer, struct pktgen_dev *pkt_dev)
> pkt_dev->nr_labels = 0;
> do {
> __u32 tmp;
> +
> + if (n >= MAX_MPLS_LABELS)
> + return -E2BIG;
> +
> len = hex32_arg(&buffer[i], HEX_8_DIGITS, &tmp);
> if (len <= 0)
> return len;
> @@ -919,8 +923,6 @@ static int get_labels(const char __user *buffer, struct pktgen_dev *pkt_dev)
> return -EFAULT;
> i++;
> n++;
> - if (n >= MAX_MPLS_LABELS)
> - return -E2BIG;
> } while (c == ',');
>
> pkt_dev->nr_labels = n;
> --
> 2.48.1
>
