Loading drivers/staging/ozwpan/ozhcd.c +4 −4 Original line number Diff line number Diff line Loading @@ -746,8 +746,8 @@ void oz_hcd_pd_reset(void *hpd, void *hport) /* * Context: softirq */ void oz_hcd_get_desc_cnf(void *hport, u8 req_id, int status, const u8 *desc, int length, int offset, int total_size) void oz_hcd_get_desc_cnf(void *hport, u8 req_id, u8 status, const u8 *desc, u8 length, u16 offset, u16 total_size) { struct oz_port *port = (struct oz_port *)hport; struct urb *urb; Loading @@ -759,8 +759,8 @@ void oz_hcd_get_desc_cnf(void *hport, u8 req_id, int status, const u8 *desc, if (!urb) return; if (status == 0) { int copy_len; int required_size = urb->transfer_buffer_length; unsigned int copy_len; unsigned int required_size = urb->transfer_buffer_length; if (required_size > total_size) required_size = total_size; Loading drivers/staging/ozwpan/ozusbif.h +2 −2 Original line number Diff line number Diff line Loading @@ -29,8 +29,8 @@ void oz_usb_request_heartbeat(void *hpd); /* Confirmation functions. */ void oz_hcd_get_desc_cnf(void *hport, u8 req_id, int status, const u8 *desc, int length, int offset, int total_size); void oz_hcd_get_desc_cnf(void *hport, u8 req_id, u8 status, const u8 *desc, u8 length, u16 offset, u16 total_size); void oz_hcd_control_cnf(void *hport, u8 req_id, u8 rcode, const u8 *data, int data_len); Loading drivers/usb/usbip/usbip_common.c +11 −0 Original line number Diff line number Diff line Loading @@ -741,6 +741,17 @@ int usbip_recv_xbuff(struct usbip_device *ud, struct urb *urb) if (!(size > 0)) return 0; if (size > urb->transfer_buffer_length) { /* should not happen, probably malicious packet */ if (ud->side == USBIP_STUB) { usbip_event_add(ud, SDEV_EVENT_ERROR_TCP); return 0; } else { usbip_event_add(ud, VDEV_EVENT_ERROR_TCP); return -EPIPE; } } ret = usbip_recv(ud->tcp_socket, urb->transfer_buffer, size); if (ret != size) { dev_err(&urb->dev->dev, "recv xbuf, %d\n", ret); Loading fs/nfsd/nfssvc.c +36 −0 Original line number Diff line number Diff line Loading @@ -646,6 +646,37 @@ static __be32 map_new_errors(u32 vers, __be32 nfserr) return nfserr; } /* * A write procedure can have a large argument, and a read procedure can * have a large reply, but no NFSv2 or NFSv3 procedure has argument and * reply that can both be larger than a page. The xdr code has taken * advantage of this assumption to be a sloppy about bounds checking in * some cases. Pending a rewrite of the NFSv2/v3 xdr code to fix that * problem, we enforce these assumptions here: */ static bool nfs_request_too_big(struct svc_rqst *rqstp, struct svc_procedure *proc) { /* * The ACL code has more careful bounds-checking and is not * susceptible to this problem: */ if (rqstp->rq_prog != NFS_PROGRAM) return false; /* * Ditto NFSv4 (which can in theory have argument and reply both * more than a page): */ if (rqstp->rq_vers >= 4) return false; /* The reply will be small, we're OK: */ if (proc->pc_xdrressize > 0 && proc->pc_xdrressize < XDR_QUADLEN(PAGE_SIZE)) return false; return rqstp->rq_arg.len > PAGE_SIZE; } int nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp) { Loading @@ -658,6 +689,11 @@ nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp) rqstp->rq_vers, rqstp->rq_proc); proc = rqstp->rq_procinfo; if (nfs_request_too_big(rqstp, proc)) { dprintk("nfsd: NFSv%d argument too large\n", rqstp->rq_vers); *statp = rpc_garbage_args; return 1; } /* * Give the xdr decoder a chance to change this if it wants * (necessary in the NFSv4.0 compound case) Loading net/ipv4/tcp_input.c +3 −0 Original line number Diff line number Diff line Loading @@ -2516,6 +2516,9 @@ static void tcp_cwnd_reduction(struct sock *sk, const int prior_unsacked, int newly_acked_sacked = prior_unsacked - (tp->packets_out - tp->sacked_out); if (newly_acked_sacked <= 0 || WARN_ON_ONCE(!tp->prior_cwnd)) return; tp->prr_delivered += newly_acked_sacked; if (tcp_packets_in_flight(tp) > tp->snd_ssthresh) { u64 dividend = (u64)tp->snd_ssthresh * tp->prr_delivered + Loading Loading
drivers/staging/ozwpan/ozhcd.c +4 −4 Original line number Diff line number Diff line Loading @@ -746,8 +746,8 @@ void oz_hcd_pd_reset(void *hpd, void *hport) /* * Context: softirq */ void oz_hcd_get_desc_cnf(void *hport, u8 req_id, int status, const u8 *desc, int length, int offset, int total_size) void oz_hcd_get_desc_cnf(void *hport, u8 req_id, u8 status, const u8 *desc, u8 length, u16 offset, u16 total_size) { struct oz_port *port = (struct oz_port *)hport; struct urb *urb; Loading @@ -759,8 +759,8 @@ void oz_hcd_get_desc_cnf(void *hport, u8 req_id, int status, const u8 *desc, if (!urb) return; if (status == 0) { int copy_len; int required_size = urb->transfer_buffer_length; unsigned int copy_len; unsigned int required_size = urb->transfer_buffer_length; if (required_size > total_size) required_size = total_size; Loading
drivers/staging/ozwpan/ozusbif.h +2 −2 Original line number Diff line number Diff line Loading @@ -29,8 +29,8 @@ void oz_usb_request_heartbeat(void *hpd); /* Confirmation functions. */ void oz_hcd_get_desc_cnf(void *hport, u8 req_id, int status, const u8 *desc, int length, int offset, int total_size); void oz_hcd_get_desc_cnf(void *hport, u8 req_id, u8 status, const u8 *desc, u8 length, u16 offset, u16 total_size); void oz_hcd_control_cnf(void *hport, u8 req_id, u8 rcode, const u8 *data, int data_len); Loading
drivers/usb/usbip/usbip_common.c +11 −0 Original line number Diff line number Diff line Loading @@ -741,6 +741,17 @@ int usbip_recv_xbuff(struct usbip_device *ud, struct urb *urb) if (!(size > 0)) return 0; if (size > urb->transfer_buffer_length) { /* should not happen, probably malicious packet */ if (ud->side == USBIP_STUB) { usbip_event_add(ud, SDEV_EVENT_ERROR_TCP); return 0; } else { usbip_event_add(ud, VDEV_EVENT_ERROR_TCP); return -EPIPE; } } ret = usbip_recv(ud->tcp_socket, urb->transfer_buffer, size); if (ret != size) { dev_err(&urb->dev->dev, "recv xbuf, %d\n", ret); Loading
fs/nfsd/nfssvc.c +36 −0 Original line number Diff line number Diff line Loading @@ -646,6 +646,37 @@ static __be32 map_new_errors(u32 vers, __be32 nfserr) return nfserr; } /* * A write procedure can have a large argument, and a read procedure can * have a large reply, but no NFSv2 or NFSv3 procedure has argument and * reply that can both be larger than a page. The xdr code has taken * advantage of this assumption to be a sloppy about bounds checking in * some cases. Pending a rewrite of the NFSv2/v3 xdr code to fix that * problem, we enforce these assumptions here: */ static bool nfs_request_too_big(struct svc_rqst *rqstp, struct svc_procedure *proc) { /* * The ACL code has more careful bounds-checking and is not * susceptible to this problem: */ if (rqstp->rq_prog != NFS_PROGRAM) return false; /* * Ditto NFSv4 (which can in theory have argument and reply both * more than a page): */ if (rqstp->rq_vers >= 4) return false; /* The reply will be small, we're OK: */ if (proc->pc_xdrressize > 0 && proc->pc_xdrressize < XDR_QUADLEN(PAGE_SIZE)) return false; return rqstp->rq_arg.len > PAGE_SIZE; } int nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp) { Loading @@ -658,6 +689,11 @@ nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp) rqstp->rq_vers, rqstp->rq_proc); proc = rqstp->rq_procinfo; if (nfs_request_too_big(rqstp, proc)) { dprintk("nfsd: NFSv%d argument too large\n", rqstp->rq_vers); *statp = rpc_garbage_args; return 1; } /* * Give the xdr decoder a chance to change this if it wants * (necessary in the NFSv4.0 compound case) Loading
net/ipv4/tcp_input.c +3 −0 Original line number Diff line number Diff line Loading @@ -2516,6 +2516,9 @@ static void tcp_cwnd_reduction(struct sock *sk, const int prior_unsacked, int newly_acked_sacked = prior_unsacked - (tp->packets_out - tp->sacked_out); if (newly_acked_sacked <= 0 || WARN_ON_ONCE(!tp->prior_cwnd)) return; tp->prr_delivered += newly_acked_sacked; if (tcp_packets_in_flight(tp) > tp->snd_ssthresh) { u64 dividend = (u64)tp->snd_ssthresh * tp->prr_delivered + Loading
