Commit fb8585fc authored by Roel Kluin's avatar Roel Kluin Committed by David S. Miller

ctcm: avoid wraparound in length of incoming data

Since the receive code should tolerate any incoming garbage, it
should be protected against a potential wraparound when manipulating
length values within incoming data.
block_len is unsigned, so a too large subtraction will cause a
wraparound.
Signed-off-by: default avatarRoel Kluin <roel.kluin@gmail.com>
Signed-off-by: default avatarUrsula Braun <ursula.braun@de.ibm.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 3a05d140
...@@ -410,9 +410,8 @@ static void chx_rx(fsm_instance *fi, int event, void *arg) ...@@ -410,9 +410,8 @@ static void chx_rx(fsm_instance *fi, int event, void *arg)
priv->stats.rx_length_errors++; priv->stats.rx_length_errors++;
goto again; goto again;
} }
block_len -= 2; if (block_len > 2) {
if (block_len > 0) { *((__u16 *)skb->data) = block_len - 2;
*((__u16 *)skb->data) = block_len;
ctcm_unpack_skb(ch, skb); ctcm_unpack_skb(ch, skb);
} }
again: again:
......
...@@ -105,7 +105,8 @@ void ctcm_unpack_skb(struct channel *ch, struct sk_buff *pskb) ...@@ -105,7 +105,8 @@ void ctcm_unpack_skb(struct channel *ch, struct sk_buff *pskb)
return; return;
} }
pskb->protocol = ntohs(header->type); pskb->protocol = ntohs(header->type);
if (header->length <= LL_HEADER_LENGTH) { if ((header->length <= LL_HEADER_LENGTH) ||
(len <= LL_HEADER_LENGTH)) {
if (!(ch->logflags & LOG_FLAG_ILLEGALSIZE)) { if (!(ch->logflags & LOG_FLAG_ILLEGALSIZE)) {
CTCM_DBF_TEXT_(ERROR, CTC_DBF_ERROR, CTCM_DBF_TEXT_(ERROR, CTC_DBF_ERROR,
"%s(%s): Illegal packet size %d(%d,%d)" "%s(%s): Illegal packet size %d(%d,%d)"
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment