net/packet: fix overflow in tpacket_rcv - user/sven/linux.git

diff options

author	Or Cohen <orcohen@paloaltonetworks.com>	2020-09-03 21:05:28 -0700
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2020-09-09 19:12:29 +0200
commit	bc846b58fe5cecaa2632d566355e607954779d45 (patch)
tree	cb4d0bf5dbeaafb0ff5e99ef002628e47b39bcca /include/linux/log2.h
parent	e3d109c3484e2efe5de60df3935b6a2246391cd9 (diff)

net/packet: fix overflow in tpacket_rcv

[ Upstream commit acf69c946233259ab4d64f8869d4037a198c7f06 ] Using tp_reserve to calculate netoff can overflow as tp_reserve is unsigned int and netoff is unsigned short. This may lead to macoff receving a smaller value then sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr is set, an out-of-bounds write will occur when calling virtio_net_hdr_from_skb. The bug is fixed by converting netoff to unsigned int and checking if it exceeds USHRT_MAX. This addresses CVE-2020-14386 Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt") Signed-off-by: Or Cohen <orcohen@paloaltonetworks.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>

Diffstat (limited to 'include/linux/log2.h')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: