diff options
author | Roel Kluin <roel.kluin@gmail.com> | 2009-03-24 03:27:48 (GMT) |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2009-03-24 22:24:30 (GMT) |
commit | fb8585fc3f9b39153e0bdaf03f00a02dde9c03c6 (patch) | |
tree | 7097afe2b7adc07f38457549a1e89701153ecae9 /drivers/s390/net | |
parent | 3a05d1404d91efd63f0654a4bf59b8803c32efdd (diff) | |
download | linux-fsl-qoriq-fb8585fc3f9b39153e0bdaf03f00a02dde9c03c6.tar.xz |
ctcm: avoid wraparound in length of incoming data
Since the receive code should tolerate any incoming garbage, it
should be protected against a potential wraparound when manipulating
length values within incoming data.
block_len is unsigned, so a too large subtraction will cause a
wraparound.
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers/s390/net')
-rw-r--r-- | drivers/s390/net/ctcm_fsms.c | 5 | ||||
-rw-r--r-- | drivers/s390/net/ctcm_main.c | 3 |
2 files changed, 4 insertions, 4 deletions
diff --git a/drivers/s390/net/ctcm_fsms.c b/drivers/s390/net/ctcm_fsms.c index f29c708..4ded9ac 100644 --- a/drivers/s390/net/ctcm_fsms.c +++ b/drivers/s390/net/ctcm_fsms.c @@ -410,9 +410,8 @@ static void chx_rx(fsm_instance *fi, int event, void *arg) priv->stats.rx_length_errors++; goto again; } - block_len -= 2; - if (block_len > 0) { - *((__u16 *)skb->data) = block_len; + if (block_len > 2) { + *((__u16 *)skb->data) = block_len - 2; ctcm_unpack_skb(ch, skb); } again: diff --git a/drivers/s390/net/ctcm_main.c b/drivers/s390/net/ctcm_main.c index 59ce7fb..a7a2538 100644 --- a/drivers/s390/net/ctcm_main.c +++ b/drivers/s390/net/ctcm_main.c @@ -105,7 +105,8 @@ void ctcm_unpack_skb(struct channel *ch, struct sk_buff *pskb) return; } pskb->protocol = ntohs(header->type); - if (header->length <= LL_HEADER_LENGTH) { + if ((header->length <= LL_HEADER_LENGTH) || + (len <= LL_HEADER_LENGTH)) { if (!(ch->logflags & LOG_FLAG_ILLEGALSIZE)) { CTCM_DBF_TEXT_(ERROR, CTC_DBF_ERROR, "%s(%s): Illegal packet size %d(%d,%d)" |