UPSTREAM: staging: most: net: fix buffer overflow - android_kernel_xiaomi_sdm660.git - Unnamed repository; edit this file 'description' to name the repository.

diff options

author	Andrey Shvetsov <andrey.shvetsov@k2l.de>	2020-01-16 18:22:39 +0100
committer	Greg Kroah-Hartman <gregkh@google.com>	2020-01-29 13:42:28 +0100
commit	bf0cb2f94cbd87e1ba1b50c693d5600f37565797 (patch)
tree	1a848810e452ed1e34e1d4bcf2a59b55776c490e /mm
parent	51c493fdf0ee04da0eb1d077f0f89bb470645f68 (diff)

UPSTREAM: staging: most: net: fix buffer overflow

If the length of the socket buffer is 0xFFFFFFFF (max size for an unsigned int), then payload_len becomes 0xFFFFFFF1 after subtracting 14 (ETH_HLEN). Then, mdp_len is set to payload_len + 16 (MDP_HDR_LEN) which overflows and results in a value of 2. These values for payload_len and mdp_len will pass current buffer size checks. This patch checks if derived from skb->len sum may overflow. The check is based on the following idea: For any `unsigned V1, V2` and derived `unsigned SUM = V1 + V2`, `V1 + V2` overflows iif `SUM < V1`. Bug: 143560807 Reported-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Andrey Shvetsov <andrey.shvetsov@k2l.de> Cc: stable <stable@vger.kernel.org> Link: https://lore.kernel.org/r/20200116172238.6046-1-andrey.shvetsov@microchip.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 4d1356ac12f4d5180d0df345d85ff0ee42b89c72) Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I71197b2963735ba181314332737fc0c1ca2cab96

Diffstat (limited to 'mm')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: