summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRusty Russell <rusty@rustcorp.com.au>2008-04-13 03:49:30 +0200
committerDavid S. Miller <davem@davemloft.net>2008-04-13 03:49:30 +0200
commite01bf1c83332c4653ffd30eed20a94a9c83d82b2 (patch)
treebb39605cba8ced4b5cc3f0aca63b345ec02e29a9
parentnet: make struct tun_struct private to tun.c (diff)
downloadlinux-e01bf1c83332c4653ffd30eed20a94a9c83d82b2.tar.xz
linux-e01bf1c83332c4653ffd30eed20a94a9c83d82b2.zip
net: check for underlength tap writes
If the user gives a packet under 14 bytes, we'll end up reading off the end of the skb (not oopsing, just reading off the end). Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Acked-by: Max Krasnyanskiy <maxk@qualcomm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--drivers/net/tun.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index 970ec4793442..5b5d87585d91 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -286,8 +286,11 @@ static __inline__ ssize_t tun_get_user(struct tun_struct *tun, struct iovec *iv,
return -EFAULT;
}
- if ((tun->flags & TUN_TYPE_MASK) == TUN_TAP_DEV)
+ if ((tun->flags & TUN_TYPE_MASK) == TUN_TAP_DEV) {
align = NET_IP_ALIGN;
+ if (unlikely(len < ETH_HLEN))
+ return -EINVAL;
+ }
if (!(skb = alloc_skb(len + align, GFP_KERNEL))) {
tun->dev->stats.rx_dropped++;