]> git.ipfire.org Git - thirdparty/linux.git/commitdiff
net: airoha: fix foe_check_time allocation size
authorWayen Yan <win847@gmail.com>
Tue, 16 Jun 2026 11:52:36 +0000 (19:52 +0800)
committerJakub Kicinski <kuba@kernel.org>
Fri, 19 Jun 2026 01:03:12 +0000 (18:03 -0700)
foe_check_time is declared as u16 pointer but was allocated with
only ppe_num_entries bytes instead of ppe_num_entries * sizeof(u16).

When airoha_ppe_foe_verify_entry() is called with hash >= ppe_num_entries/2,
it writes beyond the allocated buffer, causing heap buffer overflow and
potential kernel crash.

Fixes: 6d5b601d52a2 ("net: airoha: ppe: Dynamically allocate foe_check_time array in airoha_ppe struct")
Signed-off-by: Wayen Yan <win847@gmail.com>
Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/178161119471.2163752.14373384830691569758@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
drivers/net/ethernet/airoha/airoha_ppe.c

index 329e7c2aae890102a994a5622b2303e5f30facc7..42f4b0f21d179865a86d70dc4100d5e316e13e5a 100644 (file)
@@ -1601,7 +1601,8 @@ int airoha_ppe_init(struct airoha_eth *eth)
                        return -ENOMEM;
        }
 
-       ppe->foe_check_time = devm_kzalloc(eth->dev, ppe_num_entries,
+       ppe->foe_check_time = devm_kzalloc(eth->dev,
+                                          ppe_num_entries * sizeof(*ppe->foe_check_time),
                                           GFP_KERNEL);
        if (!ppe->foe_check_time)
                return -ENOMEM;