From: Dan Carpenter <dan.carpenter@oracle.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Won Kang <wkang77@gmail.com>
Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>,
linux-staging@lists.linux.dev, kernel-janitors@vger.kernel.org
Subject: [PATCH 2/2] staging: gdm724x: check for overflow in gdm_lte_netif_rx()
Date: Mon, 14 Jun 2021 12:58:36 +0300 [thread overview]
Message-ID: <YMcoTPsCYlhh2TQo@mwanda> (raw)
In-Reply-To: <YMcnl4zCwGWGDVMG@mwanda>
This code assumes that "len" is at least 62 bytes, but we need a check
to prevent a read overflow.
Fixes: 61e121047645 ("staging: gdm7240: adding LTE USB driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
There is a different place that does:
ip_version = buf[0] >> 4;
Which assumes that "len" is one. I think that should be checked in the
caller... I didn't add a check here because I think it's the wrong
place but then I didn't add a check in the caller because I wasn't able
to test it. I'm not really that worried about reading one element
beyond the end of the buffer. If we get extremely unlucky it could
result in a crash... Hopefully we will remember to look at this again
before moving this code out of staging.
#TODO:
drivers/staging/gdm724x/gdm_lte.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/drivers/staging/gdm724x/gdm_lte.c b/drivers/staging/gdm724x/gdm_lte.c
index a41af7aa74ec..bd5f87433404 100644
--- a/drivers/staging/gdm724x/gdm_lte.c
+++ b/drivers/staging/gdm724x/gdm_lte.c
@@ -611,10 +611,12 @@ static void gdm_lte_netif_rx(struct net_device *dev, char *buf,
* bytes (99,130,83,99 dec)
*/
} __packed;
- void *addr = buf + sizeof(struct iphdr) +
- sizeof(struct udphdr) +
- offsetof(struct dhcp_packet, chaddr);
- ether_addr_copy(nic->dest_mac_addr, addr);
+ int offset = sizeof(struct iphdr) +
+ sizeof(struct udphdr) +
+ offsetof(struct dhcp_packet, chaddr);
+ if (offset + ETH_ALEN > len)
+ return;
+ ether_addr_copy(nic->dest_mac_addr, buf + offset);
}
}
--
2.30.2
prev parent reply other threads:[~2021-06-14 9:58 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-14 9:55 [PATCH 1/2] staging: gdm724x: check for buffer overflow in gdm_lte_multi_sdu_pkt() Dan Carpenter
2021-06-14 9:58 ` Dan Carpenter [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YMcoTPsCYlhh2TQo@mwanda \
--to=dan.carpenter@oracle.com \
--cc=gregkh@linuxfoundation.org \
--cc=gustavoars@kernel.org \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-staging@lists.linux.dev \
--cc=wkang77@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.