net: check for underlength tap writes
authorRusty Russell <rusty@rustcorp.com.au>
Sun, 13 Apr 2008 01:49:30 +0000 (18:49 -0700)
committerDavid S. Miller <davem@davemloft.net>
Sun, 13 Apr 2008 01:49:30 +0000 (18:49 -0700)
If the user gives a packet under 14 bytes, we'll end up reading off the end
of the skb (not oopsing, just reading off the end).

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Acked-by: Max Krasnyanskiy <maxk@qualcomm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/tun.c

index 970ec4793442e001bc0008659ad1be485ddb7415..5b5d87585d914cf29dbad9c0f84d466590f7d537 100644 (file)
@@ -286,8 +286,11 @@ static __inline__ ssize_t tun_get_user(struct tun_struct *tun, struct iovec *iv,
                        return -EFAULT;
        }
 
-       if ((tun->flags & TUN_TYPE_MASK) == TUN_TAP_DEV)
+       if ((tun->flags & TUN_TYPE_MASK) == TUN_TAP_DEV) {
                align = NET_IP_ALIGN;
+               if (unlikely(len < ETH_HLEN))
+                       return -EINVAL;
+       }
 
        if (!(skb = alloc_skb(len + align, GFP_KERNEL))) {
                tun->dev->stats.rx_dropped++;