| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20220225053938.643605-4-matt@codeconstruct.com.au>
Date: Fri, 25 Feb 2022 13:39:38 +0800
From: Matt Johnston <matt@...econstruct.com.au>
To: netdev@...r.kernel.org
Cc: "David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
Jeremy Kerr <jk@...econstruct.com.au>
Subject: [PATCH net-next 3/3] mctp i2c: Fix hard head TX bounds length check
We should be testing the length before fitting into the u8 byte_count.
This is just a sanity check, the MCTP stack should have limited to MTU
which is checked, and we check consistency later in mctp_i2c_xmit().
Found by Smatch
mctp_i2c_header_create() warn: impossible condition
'(hdr->byte_count > 255) => (0-255 > 255)'
Signed-off-by: Matt Johnston <matt@...econstruct.com.au>
---
drivers/net/mctp/mctp-i2c.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/net/mctp/mctp-i2c.c b/drivers/net/mctp/mctp-i2c.c
index 470682c88d7e..baf7afac7857 100644
--- a/drivers/net/mctp/mctp-i2c.c
+++ b/drivers/net/mctp/mctp-i2c.c
@@ -537,6 +537,9 @@ static int mctp_i2c_header_create(struct sk_buff *skb, struct net_device *dev,
struct mctp_hdr *mhdr;
u8 lldst, llsrc;
+ if (len > MCTP_I2C_MAXMTU)
+ return -EMSGSIZE;
+
lldst = *((u8 *)daddr);
llsrc = *((u8 *)saddr);
@@ -547,8 +550,6 @@ static int mctp_i2c_header_create(struct sk_buff *skb, struct net_device *dev,
hdr->dest_slave = (lldst << 1) & 0xff;
hdr->command = MCTP_I2C_COMMANDCODE;
hdr->byte_count = len + 1;
- if (hdr->byte_count > MCTP_I2C_MAXBLOCK)
- return -EMSGSIZE;
hdr->source_slave = ((llsrc << 1) & 0xff) | 0x01;
mhdr->ver = 0x01;
--
2.32.0
Powered by blists - more mailing lists