Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit fb8585fc authored Mar 24, 2009 by Roel Kluin Committed by David S. Miller Mar 24, 2009

ctcm: avoid wraparound in length of incoming data



Since the receive code should tolerate any incoming garbage, it
should be protected against a potential wraparound when manipulating
length values within incoming data.
block_len is unsigned, so a too large subtraction will cause a
wraparound.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 3a05d140

drivers/s390/net/ctcm_fsms.c

+2 −3

Original line number	Diff line number	Diff line
		@@ -410,9 +410,8 @@ static void chx_rx(fsm_instance fi, int event, void arg)
		priv->stats.rx_length_errors++;
		goto again;
		}
		block_len -= 2;
		if (block_len > 0) {
		((__u16 )skb->data) = block_len;
		if (block_len > 2) {
		((__u16 )skb->data) = block_len - 2;
		ctcm_unpack_skb(ch, skb);
		}
		again:

drivers/s390/net/ctcm_main.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -105,7 +105,8 @@ void ctcm_unpack_skb(struct channel ch, struct sk_buff pskb)
		return;
		}
		pskb->protocol = ntohs(header->type);
		if (header->length <= LL_HEADER_LENGTH) {
		if ((header->length <= LL_HEADER_LENGTH) \|\|
		(len <= LL_HEADER_LENGTH)) {
		if (!(ch->logflags & LOG_FLAG_ILLEGALSIZE)) {
		CTCM_DBF_TEXT_(ERROR, CTC_DBF_ERROR,
		"%s(%s): Illegal packet size %d(%d,%d)"