lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Tue, 15 Feb 2022 12:02:43 +0100
From:   Oliver Neukum <oneukum@...e.com>
To:     dmitry.bezrukov@...antia.com, igor.russkikh@...antia.com,
        meissner@...e.com, netdev@...r.kernel.org,
        linux-usb@...r.kernel.org
Cc:     Oliver Neukum <oneukum@...e.com>
Subject: [RFC] aqc111: check for valid header length before parsing

The received package must be checked for being long
enough to contain the header to be parsed, or garbage
may be parsed during fixup.

Signed-off-by: Oliver Neukum <oneukum@...e.com>
---
 drivers/net/usb/aqc111.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/usb/aqc111.c b/drivers/net/usb/aqc111.c
index ea06d10e1c21..7848fe941a36 100644
--- a/drivers/net/usb/aqc111.c
+++ b/drivers/net/usb/aqc111.c
@@ -1084,10 +1084,10 @@ static int aqc111_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
 	if (!skb)
 		goto err;
 
-	if (skb->len == 0)
+	skb_len = skb->len;
+	if (skb_len < sizeof(desc_hdr))
 		goto err;
 
-	skb_len = skb->len;
 	/* RX Descriptor Header */
 	skb_trim(skb, skb->len - sizeof(desc_hdr));
 	desc_hdr = le64_to_cpup((u64 *)skb_tail_pointer(skb));
-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ