diff options
author | Rusty Russell <rusty@rustcorp.com.au> | 2008-04-13 03:49:30 +0200 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-04-13 03:49:30 +0200 |
commit | e01bf1c83332c4653ffd30eed20a94a9c83d82b2 (patch) | |
tree | bb39605cba8ced4b5cc3f0aca63b345ec02e29a9 | |
parent | net: make struct tun_struct private to tun.c (diff) | |
download | linux-e01bf1c83332c4653ffd30eed20a94a9c83d82b2.tar.xz linux-e01bf1c83332c4653ffd30eed20a94a9c83d82b2.zip |
net: check for underlength tap writes
If the user gives a packet under 14 bytes, we'll end up reading off the end
of the skb (not oopsing, just reading off the end).
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Acked-by: Max Krasnyanskiy <maxk@qualcomm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | drivers/net/tun.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/drivers/net/tun.c b/drivers/net/tun.c index 970ec4793442..5b5d87585d91 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -286,8 +286,11 @@ static __inline__ ssize_t tun_get_user(struct tun_struct *tun, struct iovec *iv, return -EFAULT; } - if ((tun->flags & TUN_TYPE_MASK) == TUN_TAP_DEV) + if ((tun->flags & TUN_TYPE_MASK) == TUN_TAP_DEV) { align = NET_IP_ALIGN; + if (unlikely(len < ETH_HLEN)) + return -EINVAL; + } if (!(skb = alloc_skb(len + align, GFP_KERNEL))) { tun->dev->stats.rx_dropped++; |