linux/drivers/s390/net
Julian Wiedmann 292a50e3fc s390/qeth: reject oversized SNMP requests
Commit d4c08afafa ("s390/qeth: streamline SNMP cmd code") removed
the bounds checking for req_len, under the assumption that the check in
qeth_alloc_cmd() would suffice.

But that code path isn't sufficiently robust to handle a user-provided
data_length, which could overflow (when adding the cmd header overhead)
before being checked against QETH_BUFSIZE. We end up allocating just a
tiny iob, and the subsequent copy_from_user() writes past the end of
that iob.

Special-case this path and add a coarse bounds check, to protect against
maliciuous requests. This let's the subsequent code flow do its normal
job and precise checking, without risk of overflow.

Fixes: d4c08afafa ("s390/qeth: streamline SNMP cmd code")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
Reviewed-by: Ursula Braun <ubraun@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-08-24 16:34:08 -07:00
..
ctcm_dbug.c
ctcm_dbug.h
ctcm_fsms.c s390/net: Mark expected switch fall-throughs 2019-08-09 19:50:01 -05:00
ctcm_fsms.h
ctcm_main.c s390: ctcm: fix ctcm_new_device error return code 2019-04-17 23:25:35 -07:00
ctcm_main.h
ctcm_mpc.c s390/net: Mark expected switch fall-throughs 2019-08-09 19:50:01 -05:00
ctcm_mpc.h
ctcm_sysfs.c
fsm.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux 2017-11-30 08:13:36 -08:00
fsm.h
ism_drv.c s390/ism: move oddities of device IO to wrapper function 2019-04-29 10:47:01 +02:00
ism.h s390/ism: move oddities of device IO to wrapper function 2019-04-29 10:47:01 +02:00
Kconfig s390/Kconfig: pedantic cleanups 2019-06-04 15:03:46 +02:00
lcs.c s390/net: set HW port number in netdevice 2018-04-27 13:38:47 -04:00
lcs.h net: convert lcs_reply.refcnt from atomic_t to refcount_t 2017-12-20 15:23:44 -05:00
Makefile s390/qeth: move ethtool code into its own file 2019-02-15 20:35:29 -08:00
netiucv.c s390: drivers: Remove redundant license text 2017-11-24 14:28:47 +01:00
qeth_core_main.c s390/qeth: reject oversized SNMP requests 2019-08-24 16:34:08 -07:00
qeth_core_mpc.c s390/qeth: allow cmd callbacks to return errnos 2019-02-12 13:14:24 -05:00
qeth_core_mpc.h s390/qeth: dynamically allocate vnicc cmds 2019-06-27 10:18:23 -07:00
qeth_core_sys.c s390/qeth: use IS_* helpers for checking device type 2019-04-26 11:14:06 -04:00
qeth_core.h s390/qeth: serialize cmd reply with concurrent timeout 2019-08-13 19:26:47 -07:00
qeth_ethtool.c s390/qeth: stop/wake TX queues based on their fill level 2019-04-17 10:33:59 -07:00
qeth_l2_main.c s390/net: Mark expected switch fall-throughs 2019-08-09 19:50:01 -05:00
qeth_l2_sys.c
qeth_l2.h s390/qeth: clean up exported symbols 2018-07-12 16:42:39 -07:00
qeth_l3_main.c s390/qeth: move cast type selection into fill_header() 2019-06-27 10:18:24 -07:00
qeth_l3_sys.c s390/qeth: use IS_* helpers for checking device type 2019-04-26 11:14:06 -04:00
qeth_l3.h s390/qeth: shrink qeth_ipaddr struct 2018-03-09 13:10:05 -05:00
smsgiucv_app.c s390: net: add SPDX identifiers to the remaining files 2017-11-24 14:28:43 +01:00
smsgiucv.c s390/smsgiucv: disable SMSG on module unload 2018-04-16 09:10:17 +02:00
smsgiucv.h