ctcm: avoid wraparound in length of incoming data

Since the receive code should tolerate any incoming garbage, it
should be protected against a potential wraparound when manipulating
length values within incoming data.
block_len is unsigned, so a too large subtraction will cause a
wraparound.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/drivers/s390/net/ctcm_fsms.c b/drivers/s390/net/ctcm_fsms.c
index f29c7086fc19829540bf72d5bcea996514908449..4ded9ac2c5efc5298ecd8159e7f368d96001d0ad 100644 (file)
--- a/drivers/s390/net/ctcm_fsms.c
+++ b/drivers/s390/net/ctcm_fsms.c
@@ -410,9 +410,8 @@ static void chx_rx(fsm_instance *fi, int event, void *arg)
                priv->stats.rx_length_errors++;
                                                goto again;
        }
-       block_len -= 2;
-       if (block_len > 0) {
-               *((__u16 *)skb->data) = block_len;
+       if (block_len > 2) {
+               *((__u16 *)skb->data) = block_len - 2;
                ctcm_unpack_skb(ch, skb);
        }
  again:

diff --git a/drivers/s390/net/ctcm_main.c b/drivers/s390/net/ctcm_main.c
index 59ce7fb730895a62441748f78c3faad085ee9831..a7a25383db763d3be2b5f16b37288ef61b7739dd 100644 (file)
--- a/drivers/s390/net/ctcm_main.c
+++ b/drivers/s390/net/ctcm_main.c
@@ -105,7 +105,8 @@ void ctcm_unpack_skb(struct channel *ch, struct sk_buff *pskb)
                        return;
                }
                pskb->protocol = ntohs(header->type);
-               if (header->length <= LL_HEADER_LENGTH) {
+               if ((header->length <= LL_HEADER_LENGTH) ||
+                   (len <= LL_HEADER_LENGTH)) {
                        if (!(ch->logflags & LOG_FLAG_ILLEGALSIZE)) {
                                CTCM_DBF_TEXT_(ERROR, CTC_DBF_ERROR,
                                        "%s(%s): Illegal packet size %d(%d,%d)"