Re: [PATCH net 9/9] ethtool: cmis: validate fw->size against start_cmd_payload_size
From: Maxime Chevallier <maxime.chevallier@bootlin.com>
Date: 2026-05-23 14:59:28
Hi, On 5/23/26 01:13, Jakub Kicinski wrote:
cmis_fw_update_start_download() copies start_cmd_payload_size bytes
from the firmware blob into the CDB LPL vendor_data[] payload without
validating that the FW has enough data.
Since the start_cmd_payload_size can only be ~120B an image too short
is most likely corrupted, so reject it.
Fixes: c4f78134d45c ("ethtool: cmis_fw_update: add a layer for supporting firmware update using CDB")
Signed-off-by: Jakub Kicinski <kuba@kernel.org>Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com> Maxime
quoted hunk ↗ jump to hunk
--- CC: andrew@lunn.ch CC: danieller@nvidia.com CC: petrm@nvidia.com --- net/ethtool/cmis_fw_update.c | 8 ++++++++ 1 file changed, 8 insertions(+)diff --git a/net/ethtool/cmis_fw_update.c b/net/ethtool/cmis_fw_update.c index 16190c97e1f7..291d04d2776a 100644 --- a/net/ethtool/cmis_fw_update.c +++ b/net/ethtool/cmis_fw_update.c@@ -130,6 +130,14 @@ cmis_fw_update_start_download(struct ethtool_cmis_cdb *cdb, u8 lpl_len; int err; + if (fw_update->fw->size < vendor_data_size) { + ethnl_module_fw_flash_ntf_err(fw_update->dev, + &fw_update->ntf_params, + "Firmware image too small for module's start payload", + NULL); + return -EINVAL; + } + pl.image_size = cpu_to_be32(fw_update->fw->size); memcpy(pl.vendor_data, fw_update->fw->data, vendor_data_size);