ctcm: avoid wraparound in length of incoming data Since the receive code should tolerate any incoming garbage, it should be protected against a potential wraparound when manipulating length values within incoming data. block_len is unsigned, so a too large subtraction will cause a wraparound. Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>

commit: fb8585fc3f9b39153e0bdaf03f00a02dde9c03c6 [log] [tgz]
author: Roel Kluin <roel.kluin@gmail.com> Tue Mar 24 03:27:48 2009 +0000
committer: David S. Miller <davem@davemloft.net> Tue Mar 24 15:24:30 2009 -0700
tree: 7097afe2b7adc07f38457549a1e89701153ecae9
parent: 3a05d1404d91efd63f0654a4bf59b8803c32efdd [diff] [blame]
diff --git a/drivers/s390/net/ctcm_fsms.c b/drivers/s390/net/ctcm_fsms.c
index f29c708..4ded9ac 100644
--- a/drivers/s390/net/ctcm_fsms.c
+++ b/drivers/s390/net/ctcm_fsms.c

@@ -410,9 +410,8 @@
 		priv->stats.rx_length_errors++;
 						goto again;
 	}
-	block_len -= 2;
-	if (block_len > 0) {
-		*((__u16 *)skb->data) = block_len;
+	if (block_len > 2) {
+		*((__u16 *)skb->data) = block_len - 2;
 		ctcm_unpack_skb(ch, skb);
 	}
  again:
commit	fb8585fc3f9b39153e0bdaf03f00a02dde9c03c6	[log] [tgz]
author	Roel Kluin <roel.kluin@gmail.com>	Tue Mar 24 03:27:48 2009 +0000
committer	David S. Miller <davem@davemloft.net>	Tue Mar 24 15:24:30 2009 -0700
tree	7097afe2b7adc07f38457549a1e89701153ecae9
parent	3a05d1404d91efd63f0654a4bf59b8803c32efdd [diff] [blame]