staging: gdm724x: check for overflow in gdm_lte_netif_rx()

This code assumes that "len" is at least 62 bytes, but we need a check to prevent a read overflow. Fixes: 61e12104 ("staging: gdm7240: adding LTE USB driver") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Link: https://lore.kernel.org/r/YMcoTPsCYlhh2TQo@mwandaSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

staging: gdm724x: check for overflow in gdm_lte_netif_rx()
This code assumes that "len" is at least 62 bytes, but we need a check to prevent a read overflow. Fixes: 61e12104 ("staging: gdm7240: adding LTE USB driver") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Link: https://lore.kernel.org/r/YMcoTPsCYlhh2TQo@mwandaSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7002b526 · Dan Carpenter · Greg Kroah-Hartman · 4a36e160 · 7002b526
Commit 7002b526 authored Jun 14, 2021 by Dan Carpenter Committed by Greg Kroah-Hartman Jun 14, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 4 deletions

drivers/staging/gdm724x/gdm_lte.c drivers/staging/gdm724x/gdm_lte.c +6 -4

No files found.
--- a/drivers/staging/gdm724x/gdm_lte.c
+++ b/drivers/staging/gdm724x/gdm_lte.c
@@ -611,10 +611,12 @@ static void gdm_lte_netif_rx(struct net_device *dev, char *buf,
 						  * bytes (99,130,83,99 dec)
 						  */
 			} __packed;
-			void *addr = buf + sizeof(struct iphdr) +
-				sizeof(struct udphdr) +
-				offsetof(struct dhcp_packet, chaddr);
-			ether_addr_copy(nic->dest_mac_addr, addr);
+			int offset = sizeof(struct iphdr) +
+				     sizeof(struct udphdr) +
+				     offsetof(struct dhcp_packet, chaddr);
+			if (offset + ETH_ALEN > len)
+				return;
+			ether_addr_copy(nic->dest_mac_addr, buf + offset);
 		}
 	}