Commit c0230301 authored by Manish Chopra's avatar Manish Chopra Committed by David S. Miller

qlcnic: Fix memory corruption while reading stats using ethtool.

o  Driver is doing memset with zero for total number of stats bytes when
   it has already filled some data in the stats buffer, which can overwrite
   memory area beyond the length of stats buffer.

o  Fix this by initializing stats buffer with zero before filling any data in it.
Signed-off-by: default avatarManish Chopra <manish.chopra@qlogic.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 4324414f
...@@ -1333,12 +1333,11 @@ static void qlcnic_get_ethtool_stats(struct net_device *dev, ...@@ -1333,12 +1333,11 @@ static void qlcnic_get_ethtool_stats(struct net_device *dev,
struct qlcnic_host_tx_ring *tx_ring; struct qlcnic_host_tx_ring *tx_ring;
struct qlcnic_esw_statistics port_stats; struct qlcnic_esw_statistics port_stats;
struct qlcnic_mac_statistics mac_stats; struct qlcnic_mac_statistics mac_stats;
int index, ret, length, size, tx_size, ring; int index, ret, length, size, ring;
char *p; char *p;
tx_size = adapter->drv_tx_rings * QLCNIC_TX_STATS_LEN; memset(data, 0, stats->n_stats * sizeof(u64));
memset(data, 0, tx_size * sizeof(u64));
for (ring = 0, index = 0; ring < adapter->drv_tx_rings; ring++) { for (ring = 0, index = 0; ring < adapter->drv_tx_rings; ring++) {
if (test_bit(__QLCNIC_DEV_UP, &adapter->state)) { if (test_bit(__QLCNIC_DEV_UP, &adapter->state)) {
tx_ring = &adapter->tx_ring[ring]; tx_ring = &adapter->tx_ring[ring];
...@@ -1347,7 +1346,6 @@ static void qlcnic_get_ethtool_stats(struct net_device *dev, ...@@ -1347,7 +1346,6 @@ static void qlcnic_get_ethtool_stats(struct net_device *dev,
} }
} }
memset(data, 0, stats->n_stats * sizeof(u64));
length = QLCNIC_STATS_LEN; length = QLCNIC_STATS_LEN;
for (index = 0; index < length; index++) { for (index = 0; index < length; index++) {
p = (char *)adapter + qlcnic_gstrings_stats[index].stat_offset; p = (char *)adapter + qlcnic_gstrings_stats[index].stat_offset;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment