net/packet: fix overflow in tpacket_rcv - linux

diff options

author	Or Cohen <orcohen@paloaltonetworks.com>	2020-09-04 06:05:28 +0200
committer	Linus Torvalds <torvalds@linux-foundation.org>	2020-09-04 20:56:02 +0200
commit	acf69c946233259ab4d64f8869d4037a198c7f06 (patch)
tree	45b5adb90a74f16effbdeb788c763e87c47bb84b /sound/pci/hda
parent	Merge branch 'simplify-do_wp_page' (diff)
download	linux-acf69c946233259ab4d64f8869d4037a198c7f06.tar.xz linux-acf69c946233259ab4d64f8869d4037a198c7f06.zip

net/packet: fix overflow in tpacket_rcv

Using tp_reserve to calculate netoff can overflow as tp_reserve is unsigned int and netoff is unsigned short. This may lead to macoff receving a smaller value then sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr is set, an out-of-bounds write will occur when calling virtio_net_hdr_from_skb. The bug is fixed by converting netoff to unsigned int and checking if it exceeds USHRT_MAX. This addresses CVE-2020-14386 Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt") Signed-off-by: Or Cohen <orcohen@paloaltonetworks.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Diffstat (limited to 'sound/pci/hda')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: