summaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorRoel Kluin <roel.kluin@gmail.com>2009-03-24 03:27:48 +0000
committerDavid S. Miller <davem@davemloft.net>2009-03-24 15:24:30 -0700
commitfb8585fc3f9b39153e0bdaf03f00a02dde9c03c6 (patch)
tree7097afe2b7adc07f38457549a1e89701153ecae9 /drivers
parent3a05d1404d91efd63f0654a4bf59b8803c32efdd (diff)
downloadlinux-fb8585fc3f9b39153e0bdaf03f00a02dde9c03c6.tar.gz
linux-fb8585fc3f9b39153e0bdaf03f00a02dde9c03c6.tar.bz2
linux-fb8585fc3f9b39153e0bdaf03f00a02dde9c03c6.zip
ctcm: avoid wraparound in length of incoming data
Since the receive code should tolerate any incoming garbage, it should be protected against a potential wraparound when manipulating length values within incoming data. block_len is unsigned, so a too large subtraction will cause a wraparound. Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/s390/net/ctcm_fsms.c5
-rw-r--r--drivers/s390/net/ctcm_main.c3
2 files changed, 4 insertions, 4 deletions
diff --git a/drivers/s390/net/ctcm_fsms.c b/drivers/s390/net/ctcm_fsms.c
index f29c7086fc19..4ded9ac2c5ef 100644
--- a/drivers/s390/net/ctcm_fsms.c
+++ b/drivers/s390/net/ctcm_fsms.c
@@ -410,9 +410,8 @@ static void chx_rx(fsm_instance *fi, int event, void *arg)
priv->stats.rx_length_errors++;
goto again;
}
- block_len -= 2;
- if (block_len > 0) {
- *((__u16 *)skb->data) = block_len;
+ if (block_len > 2) {
+ *((__u16 *)skb->data) = block_len - 2;
ctcm_unpack_skb(ch, skb);
}
again:
diff --git a/drivers/s390/net/ctcm_main.c b/drivers/s390/net/ctcm_main.c
index 59ce7fb73089..a7a25383db76 100644
--- a/drivers/s390/net/ctcm_main.c
+++ b/drivers/s390/net/ctcm_main.c
@@ -105,7 +105,8 @@ void ctcm_unpack_skb(struct channel *ch, struct sk_buff *pskb)
return;
}
pskb->protocol = ntohs(header->type);
- if (header->length <= LL_HEADER_LENGTH) {
+ if ((header->length <= LL_HEADER_LENGTH) ||
+ (len <= LL_HEADER_LENGTH)) {
if (!(ch->logflags & LOG_FLAG_ILLEGALSIZE)) {
CTCM_DBF_TEXT_(ERROR, CTC_DBF_ERROR,
"%s(%s): Illegal packet size %d(%d,%d)"