leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
556a0964e2
linux/drivers/s390/net
History
Julian Wiedmann 292a50e3fc s390/qeth: reject oversized SNMP requests 
Commit d4c08afafa ("s390/qeth: streamline SNMP cmd code") removed
the bounds checking for req_len, under the assumption that the check in
qeth_alloc_cmd() would suffice.

But that code path isn't sufficiently robust to handle a user-provided
data_length, which could overflow (when adding the cmd header overhead)
before being checked against QETH_BUFSIZE. We end up allocating just a
tiny iob, and the subsequent copy_from_user() writes past the end of
that iob.

Special-case this path and add a coarse bounds check, to protect against
maliciuous requests. This let's the subsequent code flow do its normal
job and precise checking, without risk of overflow.

Fixes: d4c08afafa ("s390/qeth: streamline SNMP cmd code")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
Reviewed-by: Ursula Braun <ubraun@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-08-24 16:34:08 -07:00
..
ctcm_dbug.c
ctcm_dbug.h
ctcm_fsms.c s390/net: Mark expected switch fall-throughs 2019-08-09 19:50:01 -05:00
ctcm_fsms.h
ctcm_main.c s390: ctcm: fix ctcm_new_device error return code 2019-04-17 23:25:35 -07:00
ctcm_main.h
ctcm_mpc.c s390/net: Mark expected switch fall-throughs 2019-08-09 19:50:01 -05:00
ctcm_mpc.h
ctcm_sysfs.c
fsm.c
fsm.h
ism_drv.c s390/ism: move oddities of device IO to wrapper function 2019-04-29 10:47:01 +02:00
ism.h s390/ism: move oddities of device IO to wrapper function 2019-04-29 10:47:01 +02:00
Kconfig s390/Kconfig: pedantic cleanups 2019-06-04 15:03:46 +02:00
lcs.c
lcs.h
Makefile
netiucv.c
qeth_core_main.c s390/qeth: reject oversized SNMP requests 2019-08-24 16:34:08 -07:00
qeth_core_mpc.c
qeth_core_mpc.h s390/qeth: dynamically allocate vnicc cmds 2019-06-27 10:18:23 -07:00
qeth_core_sys.c s390/qeth: use IS_* helpers for checking device type 2019-04-26 11:14:06 -04:00
qeth_core.h s390/qeth: serialize cmd reply with concurrent timeout 2019-08-13 19:26:47 -07:00
qeth_ethtool.c s390/qeth: stop/wake TX queues based on their fill level 2019-04-17 10:33:59 -07:00
qeth_l2_main.c s390/net: Mark expected switch fall-throughs 2019-08-09 19:50:01 -05:00
qeth_l2_sys.c
qeth_l2.h
qeth_l3_main.c s390/qeth: move cast type selection into fill_header() 2019-06-27 10:18:24 -07:00
qeth_l3_sys.c s390/qeth: use IS_* helpers for checking device type 2019-04-26 11:14:06 -04:00
qeth_l3.h
smsgiucv_app.c
smsgiucv.c
smsgiucv.h