On Wed, 3 May 2017 14:44:35 +1000
Gavin Shan <gws...@linux.vnet.ibm.com> wrote:
> +static int ethtool_get_ncsi_channels(struct net_device *dev,
> + void __user *useraddr)
Please don't use an opaque type for this. See how other ethtool
operations take a struct.
> +{
> + struct ethtool_ncsi_channels *enc;
> + short nr_channels;
Should be __u16 or unsigned not short.
> + ssize_t size = 0;
> + int ret;
> +
> + if (!dev->ethtool_ops->get_ncsi_channels)
> + return -EOPNOTSUPP;
> +
> + if (copy_from_user(&nr_channels, useraddr + sizeof(enc->cmd),
> + sizeof(nr_channels)))
> + return -EFAULT;
> +
> + size = sizeof(*enc);
> + if (nr_channels > 0)
> + size += nr_channels * sizeof(enc->id[0]);
You have no upper bound on number of channels, and therefore an incorrectly
application could grab an excessive amount of kernel memory.
