OpenE2K
/
linux
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

ctcm: avoid wraparound in length of incoming data 

Since the receive code should tolerate any incoming garbage, it
should be protected against a potential wraparound when manipulating
length values within incoming data.
block_len is unsigned, so a too large subtraction will cause a
wraparound.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Roel Kluin 2009-03-24 03:27:48 +00:00 committed by David S. Miller
parent 3a05d1404d
commit fb8585fc3f
2 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
drivers/s390/net/ctcm_fsms.c
View File

@ -410,9 +410,8 @@ static void chx_rx(fsm_instance *fi, int event, void *arg)
priv->stats.rx_length_errors++;
goto again;
}
block_len -= 2;
if (block_len > 0) {
*((__u16 *)skb->data) = block_len;
if (block_len > 2) {
*((__u16 *)skb->data) = block_len - 2;
ctcm_unpack_skb(ch, skb);
}
again:

3
drivers/s390/net/ctcm_main.c
View File

@ -105,7 +105,8 @@ void ctcm_unpack_skb(struct channel *ch, struct sk_buff *pskb)
return;
}
pskb->protocol = ntohs(header->type);
if (header->length <= LL_HEADER_LENGTH) {
if ((header->length <= LL_HEADER_LENGTH) ||
(len <= LL_HEADER_LENGTH)) {
if (!(ch->logflags & LOG_FLAG_ILLEGALSIZE)) {
CTCM_DBF_TEXT_(ERROR, CTC_DBF_ERROR,
"%s(%s): Illegal packet size %d(%d,%d)"