diff options
author | Matt Johnston <matt@codeconstruct.com.au> | 2022-02-25 06:39:38 +0100 |
---|---|---|
committer | Jakub Kicinski <kuba@kernel.org> | 2022-02-26 07:23:33 +0100 |
commit | 33f5d1a9d9707d1c9ab227aadd9498664e0442e4 (patch) | |
tree | 741fe270dd693a65429a4c68c414209c3ed0d440 /drivers/net/mctp | |
parent | mctp i2c: Fix potential use-after-free (diff) | |
download | linux-33f5d1a9d9707d1c9ab227aadd9498664e0442e4.tar.xz linux-33f5d1a9d9707d1c9ab227aadd9498664e0442e4.zip |
mctp i2c: Fix hard head TX bounds length check
We should be testing the length before fitting into the u8 byte_count.
This is just a sanity check, the MCTP stack should have limited to MTU
which is checked, and we check consistency later in mctp_i2c_xmit().
Found by Smatch
mctp_i2c_header_create() warn: impossible condition
'(hdr->byte_count > 255) => (0-255 > 255)'
Signed-off-by: Matt Johnston <matt@codeconstruct.com.au>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'drivers/net/mctp')
-rw-r--r-- | drivers/net/mctp/mctp-i2c.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/drivers/net/mctp/mctp-i2c.c b/drivers/net/mctp/mctp-i2c.c index 470682c88d7e..baf7afac7857 100644 --- a/drivers/net/mctp/mctp-i2c.c +++ b/drivers/net/mctp/mctp-i2c.c @@ -537,6 +537,9 @@ static int mctp_i2c_header_create(struct sk_buff *skb, struct net_device *dev, struct mctp_hdr *mhdr; u8 lldst, llsrc; + if (len > MCTP_I2C_MAXMTU) + return -EMSGSIZE; + lldst = *((u8 *)daddr); llsrc = *((u8 *)saddr); @@ -547,8 +550,6 @@ static int mctp_i2c_header_create(struct sk_buff *skb, struct net_device *dev, hdr->dest_slave = (lldst << 1) & 0xff; hdr->command = MCTP_I2C_COMMANDCODE; hdr->byte_count = len + 1; - if (hdr->byte_count > MCTP_I2C_MAXBLOCK) - return -EMSGSIZE; hdr->source_slave = ((llsrc << 1) & 0xff) | 0x01; mhdr->ver = 0x01; |