From 5a69f596027ff45d9daf7c6584a8a9d4f7ea0770 Mon Sep 17 00:00:00 2001 From: Pavel Kubelun Date: Mon, 28 Nov 2016 18:10:05 +0300 Subject: net: ar8216: address security vulnerabilities in swconfig & ar8216 Imported from https://chromium.googlesource.com/chromiumos/third_party/kernel/+/e1aaf7ec008a97311867f0a7d0418e4693fecfd4%5E%21/#F0 Signed-off-by: Pavel Kubelun CHROMIUM: net: ar8216: address security vulnerabilities in swconfig & ar8216 This patch does the following changes: *address the security vulnerabilities in both swconfig framework and in ar8216 driver (many bound check additions, and turned swconfig structure signed element into unsigned when applicable) *address a couple of whitespaces and indendation issues BUG=chrome-os-partner:33096 TEST=none Change-Id: I94ea78fcce8c1932cc584d1508c6e3b5dfb93ce9 Signed-off-by: Mathieu Olivari Reviewed-on: https://chromium-review.googlesource.com/236490 Reviewed-by: Toshi Kikuchi Commit-Queue: Toshi Kikuchi Tested-by: Toshi Kikuchi --- target/linux/generic/files/drivers/net/phy/swconfig.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) (limited to 'target/linux/generic/files/drivers/net/phy/swconfig.c') diff --git a/target/linux/generic/files/drivers/net/phy/swconfig.c b/target/linux/generic/files/drivers/net/phy/swconfig.c index c70ca74cad..63a9588136 100644 --- a/target/linux/generic/files/drivers/net/phy/swconfig.c +++ b/target/linux/generic/files/drivers/net/phy/swconfig.c @@ -506,7 +506,7 @@ swconfig_lookup_attr(struct switch_dev *dev, struct genl_info *info, struct genlmsghdr *hdr = nlmsg_data(info->nlhdr); const struct switch_attrlist *alist; const struct switch_attr *attr = NULL; - int attr_id; + unsigned int attr_id; /* defaults */ struct switch_attr *def_list; @@ -590,11 +590,13 @@ swconfig_parse_ports(struct sk_buff *msg, struct nlattr *head, val->len = 0; nla_for_each_nested(nla, head, rem) { struct nlattr *tb[SWITCH_PORT_ATTR_MAX+1]; - struct switch_port *port = &val->value.ports[val->len]; + struct switch_port *port; if (val->len >= max) return -EINVAL; + port = &val->value.ports[val->len]; + if (nla_parse_nested(tb, SWITCH_PORT_ATTR_MAX, nla, port_policy)) return -EINVAL; @@ -1111,6 +1113,11 @@ register_switch(struct switch_dev *dev, struct net_device *netdev) } BUG_ON(!dev->alias); + /* Make sure swdev_id doesn't overflow */ + if (swdev_id == INT_MAX) { + return -ENOMEM; + } + if (dev->ports > 0) { dev->portbuf = kzalloc(sizeof(struct switch_port) * dev->ports, GFP_KERNEL); @@ -1227,4 +1234,3 @@ swconfig_exit(void) module_init(swconfig_init); module_exit(swconfig_exit); - -- cgit v1.2.3