From: Roel Kluin Since the receive code should tolerate any incoming garbage, it should be protected against a potential wraparound when manipulating length values within incoming data. block_len is unsigned, so a too large subtraction will cause a wraparound. Signed-off-by: Roel Kluin Signed-off-by: Ursula Braun --- drivers/s390/net/ctcm_fsms.c | 5 ++--- drivers/s390/net/ctcm_main.c | 3 ++- 2 files changed, 4 insertions(+), 4 deletions(-) diff -urpN linux-2.6/drivers/s390/net/ctcm_fsms.c linux-2.6-patched/drivers/s390/net/ctcm_fsms.c --- linux-2.6/drivers/s390/net/ctcm_fsms.c 2009-03-19 11:15:52.000000000 +0100 +++ linux-2.6-patched/drivers/s390/net/ctcm_fsms.c 2009-03-19 11:16:39.000000000 +0100 @@ -410,9 +410,8 @@ static void chx_rx(fsm_instance *fi, int priv->stats.rx_length_errors++; goto again; } - block_len -= 2; - if (block_len > 0) { - *((__u16 *)skb->data) = block_len; + if (block_len > 2) { + *((__u16 *)skb->data) = block_len - 2; ctcm_unpack_skb(ch, skb); } again: diff -urpN linux-2.6/drivers/s390/net/ctcm_main.c linux-2.6-patched/drivers/s390/net/ctcm_main.c --- linux-2.6/drivers/s390/net/ctcm_main.c 2009-03-19 11:16:39.000000000 +0100 +++ linux-2.6-patched/drivers/s390/net/ctcm_main.c 2009-03-19 11:16:39.000000000 +0100 @@ -105,7 +105,8 @@ void ctcm_unpack_skb(struct channel *ch, return; } pskb->protocol = ntohs(header->type); - if (header->length <= LL_HEADER_LENGTH) { + if ((header->length <= LL_HEADER_LENGTH) || + (len <= LL_HEADER_LENGTH)) { if (!(ch->logflags & LOG_FLAG_ILLEGALSIZE)) { CTCM_DBF_TEXT_(ERROR, CTC_DBF_ERROR, "%s(%s): Illegal packet size %d(%d,%d)" -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html