Commit 11e7a919 authored by Dan Carpenter's avatar Dan Carpenter Committed by Kalle Valo

airo: Fix read overflows sending packets

The problem is that we always copy a minimum of ETH_ZLEN (60) bytes from
skb->data even when skb->len is less than ETH_ZLEN so it leads to a read
overflow.

The fix is to pad skb->data to at least ETH_ZLEN bytes.

Cc: <stable@vger.kernel.org>
Reported-by: default avatarHu Jiahui <kirin.say@gmail.com>
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20200527184830.GA1164846@mwanda
parent 113a57a4
...@@ -1925,6 +1925,10 @@ static netdev_tx_t mpi_start_xmit(struct sk_buff *skb, ...@@ -1925,6 +1925,10 @@ static netdev_tx_t mpi_start_xmit(struct sk_buff *skb,
airo_print_err(dev->name, "%s: skb == NULL!",__func__); airo_print_err(dev->name, "%s: skb == NULL!",__func__);
return NETDEV_TX_OK; return NETDEV_TX_OK;
} }
if (skb_padto(skb, ETH_ZLEN)) {
dev->stats.tx_dropped++;
return NETDEV_TX_OK;
}
npacks = skb_queue_len (&ai->txq); npacks = skb_queue_len (&ai->txq);
if (npacks >= MAXTXQ - 1) { if (npacks >= MAXTXQ - 1) {
...@@ -2127,6 +2131,10 @@ static netdev_tx_t airo_start_xmit(struct sk_buff *skb, ...@@ -2127,6 +2131,10 @@ static netdev_tx_t airo_start_xmit(struct sk_buff *skb,
airo_print_err(dev->name, "%s: skb == NULL!", __func__); airo_print_err(dev->name, "%s: skb == NULL!", __func__);
return NETDEV_TX_OK; return NETDEV_TX_OK;
} }
if (skb_padto(skb, ETH_ZLEN)) {
dev->stats.tx_dropped++;
return NETDEV_TX_OK;
}
/* Find a vacant FID */ /* Find a vacant FID */
for( i = 0; i < MAX_FIDS / 2 && (fids[i] & 0xffff0000); i++ ); for( i = 0; i < MAX_FIDS / 2 && (fids[i] & 0xffff0000); i++ );
...@@ -2201,6 +2209,10 @@ static netdev_tx_t airo_start_xmit11(struct sk_buff *skb, ...@@ -2201,6 +2209,10 @@ static netdev_tx_t airo_start_xmit11(struct sk_buff *skb,
airo_print_err(dev->name, "%s: skb == NULL!", __func__); airo_print_err(dev->name, "%s: skb == NULL!", __func__);
return NETDEV_TX_OK; return NETDEV_TX_OK;
} }
if (skb_padto(skb, ETH_ZLEN)) {
dev->stats.tx_dropped++;
return NETDEV_TX_OK;
}
/* Find a vacant FID */ /* Find a vacant FID */
for( i = MAX_FIDS / 2; i < MAX_FIDS && (fids[i] & 0xffff0000); i++ ); for( i = MAX_FIDS / 2; i < MAX_FIDS && (fids[i] & 0xffff0000); i++ );
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment