Commit e01bf1c8 authored by Rusty Russell's avatar Rusty Russell Committed by David S. Miller

net: check for underlength tap writes

If the user gives a packet under 14 bytes, we'll end up reading off the end
of the skb (not oopsing, just reading off the end).
Signed-off-by: default avatarRusty Russell <rusty@rustcorp.com.au>
Acked-by: default avatarMax Krasnyanskiy <maxk@qualcomm.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 14daa021
...@@ -286,8 +286,11 @@ static __inline__ ssize_t tun_get_user(struct tun_struct *tun, struct iovec *iv, ...@@ -286,8 +286,11 @@ static __inline__ ssize_t tun_get_user(struct tun_struct *tun, struct iovec *iv,
return -EFAULT; return -EFAULT;
} }
if ((tun->flags & TUN_TYPE_MASK) == TUN_TAP_DEV) if ((tun->flags & TUN_TYPE_MASK) == TUN_TAP_DEV) {
align = NET_IP_ALIGN; align = NET_IP_ALIGN;
if (unlikely(len < ETH_HLEN))
return -EINVAL;
}
if (!(skb = alloc_skb(len + align, GFP_KERNEL))) { if (!(skb = alloc_skb(len + align, GFP_KERNEL))) {
tun->dev->stats.rx_dropped++; tun->dev->stats.rx_dropped++;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment