ctcm: avoid wraparound in length of incoming data

Since the receive code should tolerate any incoming garbage, it should be protected against a potential wraparound when manipulating length values within incoming data. block_len is unsigned, so a too large subtraction will cause a wraparound. Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
git-mirror · Mar 24, 2009 · fb8585f · fb8585f
1 parent 3a05d14
commit fb8585f
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 4 deletions.
diff --git a/drivers/s390/net/ctcm_fsms.c b/drivers/s390/net/ctcm_fsms.c
@@ -410,9 +410,8 @@ static void chx_rx(fsm_instance *fi, int event, void *arg)
 		priv->stats.rx_length_errors++;
 						goto again;
 	}
-	block_len -= 2;
-	if (block_len > 0) {
-		*((__u16 *)skb->data) = block_len;
+	if (block_len > 2) {
+		*((__u16 *)skb->data) = block_len - 2;
 		ctcm_unpack_skb(ch, skb);
 	}
  again:

diff --git a/drivers/s390/net/ctcm_main.c b/drivers/s390/net/ctcm_main.c
@@ -105,7 +105,8 @@ void ctcm_unpack_skb(struct channel *ch, struct sk_buff *pskb)
 			return;
 		}
 		pskb->protocol = ntohs(header->type);
-		if (header->length <= LL_HEADER_LENGTH) {
+		if ((header->length <= LL_HEADER_LENGTH) ||
+		    (len <= LL_HEADER_LENGTH)) {
 			if (!(ch->logflags & LOG_FLAG_ILLEGALSIZE)) {
 				CTCM_DBF_TEXT_(ERROR, CTC_DBF_ERROR,
 					"%s(%s): Illegal packet size %d(%d,%d)"