From: Kamal Mostafa <kamal@canonical.com>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org,
kernel-team@lists.ubuntu.com
Cc: Alexander Drozdov <al.drozdov@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Kamal Mostafa <kamal@canonical.com>
Subject: [PATCH 3.13.y-ckt 71/78] packet: tpacket_snd(): fix signed/unsigned comparison
Date: Wed, 16 Dec 2015 16:39:55 -0800 [thread overview]
Message-ID: <1450312802-4938-72-git-send-email-kamal@canonical.com> (raw)
In-Reply-To: <1450312802-4938-1-git-send-email-kamal@canonical.com>
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Drozdov <al.drozdov@gmail.com>
commit dbd46ab412b8fb395f2b0ff6f6a7eec9df311550 upstream.
tpacket_fill_skb() can return a negative value (-errno) which
is stored in tp_len variable. In that case the following
condition will be (but shouldn't be) true:
tp_len > dev->mtu + dev->hard_header_len
as dev->mtu and dev->hard_header_len are both unsigned.
That may lead to just returning an incorrect EMSGSIZE errno
to the user.
Fixes: 52f1454f629fa ("packet: allow to transmit +4 byte in TX_RING slot for VLAN case")
Signed-off-by: Alexander Drozdov <al.drozdov@gmail.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/packet/af_packet.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 870046d..04d0e35 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2147,7 +2147,8 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
tp_len = tpacket_fill_skb(po, skb, ph, dev, size_max, proto,
addr, hlen);
- if (tp_len > dev->mtu + dev->hard_header_len) {
+ if (likely(tp_len >= 0) &&
+ tp_len > dev->mtu + dev->hard_header_len) {
struct ethhdr *ehdr;
/* Earlier code assumed this would be a VLAN pkt,
* double-check this now that we have the actual
--
1.9.1
next prev parent reply other threads:[~2015-12-17 0:45 UTC|newest]
Thread overview: 84+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 01/78] tty: fix stall caused by missing memory barrier in drivers/tty/n_tty.c Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 02/78] stackprotector: Unify the HAVE_CC_STACKPROTECTOR logic between architectures Kamal Mostafa
2015-12-17 0:38 ` Kamal Mostafa
2015-12-17 0:38 ` Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 03/78] stackprotector: Introduce CONFIG_CC_STACKPROTECTOR_STRONG Kamal Mostafa
2015-12-17 0:38 ` Kamal Mostafa
2015-12-17 0:38 ` Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 04/78] iio: lpc32xx_adc: fix warnings caused by enabling unprepared clock Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 05/78] iio:ad5064: Make sure ad5064_i2c_write() returns 0 on success Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 06/78] iio: ad5064: Fix ad5629/ad5669 shift Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 07/78] iio:ad7793: Fix ad7785 product ID Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 08/78] x86/fpu: Fix 32-bit signal frame handling Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 09/78] ALSA: usb-audio: add packet size quirk for the Medeli DD305 Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 10/78] ALSA: usb-audio: prevent CH345 multiport output SysEx corruption Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 11/78] ALSA: usb-audio: work around CH345 input " Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 12/78] USB: serial: option: add support for Novatel MiFi USB620L Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 13/78] USB: ti_usb_3410_5052: Add Honeywell HGI80 ID Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 14/78] ASoC: wm8962: correct addresses for HPF_C_0/1 Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 15/78] mac80211: mesh: fix call_rcu() usage Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 16/78] usb: dwc3: gadget: let us set lower max_speed Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 17/78] dm: fix ioctl retry termination with signal Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 18/78] usb: chipidea: debug: disable usb irq while role switch Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 19/78] MIPS: KVM: Fix ASID restoration logic Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 20/78] MIPS: KVM: Fix CACHE immediate offset sign extension Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 21/78] MIPS: KVM: Uninit VCPU in vcpu_create error path Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 22/78] xhci: Workaround to get Intel xHCI reset working more reliably Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 23/78] xhci: Fix a race in usb2 LPM resume, blocking U3 for usb2 devices Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 24/78] x86/cpu: Fix SMAP check in PVOPS environments Kamal Mostafa
2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 25/78] ALSA: hda - Add fixup for Acer Aspire One Cloudbook 14 Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 26/78] arm64: restore bogomips information in /proc/cpuinfo Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 27/78] USB: option: add XS Stick W100-2 from 4G Systems Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 28/78] usblp: do not set TASK_INTERRUPTIBLE before lock Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 29/78] mac: validate mac_partition is within sector Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 30/78] ALSA: hda - Apply HP headphone fixups more generically Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 31/78] fat: fix fake_offset handling on error path Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 32/78] kernel/signal.c: unexport sigsuspend() Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 33/78] parisc: Drop unused MADV_xxxK_PAGES flags from asm/mman.h Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 34/78] can: sja1000: clear interrupts on start Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 35/78] powerpc/tm: Block signal return setting invalid MSR state Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 36/78] ARC: dw2 unwind: Remove falllback linear search thru FDE entries Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 37/78] fix sysvfs symlinks Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 38/78] vfs: Make sendfile(2) killable even better Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 39/78] vfs: Avoid softlockups with sendfile(2) Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 40/78] nfs4: start callback_ident at idr 1 Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 41/78] ALSA: hda - Fix headphone noise after Dell XPS 13 resume back from S3 Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 42/78] ring-buffer: Update read stamp with first real commit on page Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 43/78] arm64: KVM: Fix AArch32 to AArch64 register mapping Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 44/78] drm/radeon: make rv770_set_sw_state failures non-fatal Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 45/78] RDS: fix race condition when sending a message on unbound socket Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 46/78] btrfs: fix signed overflows in btrfs_sync_file Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 47/78] drm/radeon: make some dpm errors debug only Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 48/78] nfs: if we have no valid attrs, then don't declare the attribute cache valid Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 49/78] xen/gntdev: Grant maps should not be subject to NUMA balancing Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 50/78] iscsi-target: Fix rx_login_comp hang after login failure Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 51/78] target: Fix race for SCF_COMPARE_AND_WRITE_POST checking Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 52/78] target: fix COMPARE_AND_WRITE non zero SGL offset data corruption Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 53/78] block: Always check queue limits for cloned requests Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 54/78] Fix a memory leak in scsi_host_dev_release() Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 55/78] wan/x25: Fix use-after-free in x25_asy_open_tty() Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 56/78] sched/core: Clear the root_domain cpumasks in init_rootdomain() Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 57/78] x86/signal: Fix restart_syscall number for x32 tasks Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 58/78] mmc: remove bondage between REQ_META and reliable write Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 59/78] sctp: translate host order to network order when setting a hmacid Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 60/78] usb: musb: core: fix order of arguments to ulpi write callback Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 61/78] FS-Cache: Add missing initialization of ret in cachefiles_write_page() Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 62/78] tcp: md5: fix lockdep annotation Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 63/78] ARM: dts: Kirkwood: Fix QNAP TS219 power-off Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 64/78] isdn: Partially revert debug format string usage clean up Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 65/78] remoteproc: avoid stack overflow in debugfs file Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 66/78] net: mvneta: add configuration for MBUS windows access protection Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 67/78] net: mvneta: fix bit assignment in MVNETA_RXQ_CONFIG_REG Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 68/78] net: mvneta: fix bit assignment for RX packet irq enable Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 69/78] sched/core: Remove false-positive warning from wake_up_process() Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 70/78] packet: allow to transmit +4 byte in TX_RING slot for VLAN case Kamal Mostafa
2015-12-17 0:39 ` Kamal Mostafa [this message]
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 72/78] packet: only allow extra vlan len on ethernet devices Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 73/78] packet: fix tpacket_snd max frame len Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 74/78] net/mlx4_core: Avoid returning success in case of an error flow Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 75/78] net: ip6mr: fix static mfc/dev leaks on table destruction Kamal Mostafa
2015-12-17 0:40 ` [PATCH 3.13.y-ckt 76/78] unix: avoid use-after-free in ep_remove_wait_queue Kamal Mostafa
2015-12-17 0:40 ` [PATCH 3.13.y-ckt 77/78] broadcom: fix PHY_ID_BCM5481 entry in the id table Kamal Mostafa
2015-12-17 0:40 ` [PATCH 3.13.y-ckt 78/78] net/neighbour: fix crash at dumping device-agnostic proxy entries Kamal Mostafa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1450312802-4938-72-git-send-email-kamal@canonical.com \
--to=kamal@canonical.com \
--cc=al.drozdov@gmail.com \
--cc=davem@davemloft.net \
--cc=kernel-team@lists.ubuntu.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.