| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 24 Jul 2020 12:46:06 -0400
From: Andres Beltran <lkmlabelt@...il.com>
To: kys@...rosoft.com, haiyangz@...rosoft.com, sthemmin@...rosoft.com,
wei.liu@...nel.org
Cc: linux-hyperv@...r.kernel.org, linux-kernel@...r.kernel.org,
mikelley@...rosoft.com, parri.andrea@...il.com,
skarade@...rosoft.com, Andres Beltran <lkmlabelt@...il.com>
Subject: [PATCH] Drivers: hv: vmbus: Fix variable assignments in hv_ringbuffer_read()
Assignments to buffer_actual_len and requestid happen before packetlen
is checked to be within buflen. If this condition is true,
hv_ringbuffer_read() returns with these variables already set to some
value even though no data is actually read. This might create
inconsistencies in any routine calling hv_ringbuffer_read(). Assign values
to such pointers after the packetlen check.
Signed-off-by: Andres Beltran <lkmlabelt@...il.com>
---
drivers/hv/ring_buffer.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/hv/ring_buffer.c b/drivers/hv/ring_buffer.c
index 356e22159e83..e277ce7372a4 100644
--- a/drivers/hv/ring_buffer.c
+++ b/drivers/hv/ring_buffer.c
@@ -350,12 +350,13 @@ int hv_ringbuffer_read(struct vmbus_channel *channel,
offset = raw ? 0 : (desc->offset8 << 3);
packetlen = (desc->len8 << 3) - offset;
- *buffer_actual_len = packetlen;
- *requestid = desc->trans_id;
if (unlikely(packetlen > buflen))
return -ENOBUFS;
+ *buffer_actual_len = packetlen;
+ *requestid = desc->trans_id;
+
/* since ring is double mapped, only one copy is necessary */
memcpy(buffer, (const char *)desc + offset, packetlen);
--
2.25.1
Powered by blists - more mailing lists