| From bfca70a1e25a461b55452dc370a6006518f44239 Mon Sep 17 00:00:00 2001 |
| From: Andrey Konovalov <andreyknvl@google.com> |
| Date: Wed, 29 Mar 2017 16:11:20 +0200 |
| Subject: [PATCH] net/packet: fix overflow in check for priv area size |
| |
| commit 2b6867c2ce76c596676bec7d2d525af525fdc6e2 upstream. |
| |
| Subtracting tp_sizeof_priv from tp_block_size and casting to int |
| to check whether one is less then the other doesn't always work |
| (both of them are unsigned ints). |
| |
| Compare them as is instead. |
| |
| Also cast tp_sizeof_priv to u64 before using BLK_PLUS_PRIV, as |
| it can overflow inside BLK_PLUS_PRIV otherwise. |
| |
| Signed-off-by: Andrey Konovalov <andreyknvl@google.com> |
| Acked-by: Eric Dumazet <edumazet@google.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c |
| index b3dc668b0da7..4df49bae4f1f 100644 |
| --- a/net/packet/af_packet.c |
| +++ b/net/packet/af_packet.c |
| @@ -4222,8 +4222,8 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, |
| if (unlikely(!PAGE_ALIGNED(req->tp_block_size))) |
| goto out; |
| if (po->tp_version >= TPACKET_V3 && |
| - (int)(req->tp_block_size - |
| - BLK_PLUS_PRIV(req_u->req3.tp_sizeof_priv)) <= 0) |
| + req->tp_block_size <= |
| + BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv)) |
| goto out; |
| if (unlikely(req->tp_frame_size < po->tp_hdrlen + |
| po->tp_reserve)) |
| -- |
| 2.12.0 |
| |