Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp8096168imu; Tue, 4 Dec 2018 02:56:45 -0800 (PST) X-Google-Smtp-Source: AFSGD/VIXmsXOlox5noiu4Zb3noyZ6zRDlgGZYTBE+SM4eIsJrBbbGStDNUCnXhBmYV0MKf7Io+i X-Received: by 2002:a62:1f9d:: with SMTP id l29mr19545241pfj.14.1543921005252; Tue, 04 Dec 2018 02:56:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543921005; cv=none; d=google.com; s=arc-20160816; b=ExpZz9G849B5qRb1k8Iot8T7xVBPoGZRO/YaQ0R+PNoo3J1GVYVYjx5EZ92AR9wKWF mNUgVNRDfleMs2VyLuGewVu2JLtzoUft34jh0JWr2tekiHuVo2iNykIAr3DLtsEF5QlE 39zucYI658ZmsMCYlmTeSC3S1sCaCZgywg7U9yUcCaViab5GaOTeJ+Iazs40cDWBVLgd 3lMBuuEpsmY9zeij8mz2PRU7/QMEzyc1xp3m70Lyxx9KfNgH384yEi32+i5E3N018w0s vFym6RFJNdQVJI5q5VRTQU6zH60zaJqjtYIn9yFPTDLcBW6brZR5fTmfEtzIYyNH5b76 +V5A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=4oPi94yKeVx5CDcBsDCZJtDKCRV+QMifcUZ0pH+NOUQ=; b=o7XzM+AXvgB3GGiX4Up9L7nDX/7d/7Qnj9h4RJtMH0i3OJyAWRkvkniTgDdwr5gldu I+pKhNRp+zktvbnJZzVfX8PNXLuMHP1FroAIcdH0RNw8Dv1ot3axhGdyfBnzHJyWdBOB jopvm1dc3qF3lMS9jNI3HXFEpBdWW9vDlFgKc+lw3wHOa65uHVEY4bokHfZcrJxy2w+u 6LwS+eDPCIub/J6jPG+4tje5qrSthCJStYljfj6s7D2lX/2M6bKgaf94dM1UowZnoX6Y 6L5ppZLF4r6pqStrwKwvxYQ/9aaCX8zY+Y/VGv/JbyhnAP1P+uQLuqkyrSvBdeJb5rra V5qw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=uMNg46hE; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 7si19400851pfb.226.2018.12.04.02.56.30; Tue, 04 Dec 2018 02:56:45 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=uMNg46hE; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726300AbeLDKzi (ORCPT + 99 others); Tue, 4 Dec 2018 05:55:38 -0500 Received: from mail.kernel.org ([198.145.29.99]:38434 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726289AbeLDKzf (ORCPT ); Tue, 4 Dec 2018 05:55:35 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 4B60820878; Tue, 4 Dec 2018 10:55:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1543920934; bh=XcBHXNpGGhlVl6ogMKtCLCj6/vvmFtPAo8eW4ASGYrI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=uMNg46hEfNp5SYK4/sl3XIhpX6B0cnedTXRpq8wW8c2lf5jN8E7y7yWoLowPT7Md9 Gp0zyc02fNhM7EgRUyec972gFuXBXUGjk5ambV+0ISabC6fZfMbYwT1egXfDuNjQ15 VseiJwy0+Bi4Uls/AFAjno0aTMxsKJXO1pUnLMoo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Julian Wiedmann , Ursula Braun , "David S. Miller" Subject: [PATCH 4.19 017/139] s390/qeth: fix length check in SNMP processing Date: Tue, 4 Dec 2018 11:48:18 +0100 Message-Id: <20181204103650.686299099@linuxfoundation.org> X-Mailer: git-send-email 2.19.2 In-Reply-To: <20181204103649.950154335@linuxfoundation.org> References: <20181204103649.950154335@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.19-stable review patch. If anyone has any objections, please let me know. ------------------ From: Julian Wiedmann [ Upstream commit 9a764c1e59684c0358e16ccaafd870629f2cfe67 ] The response for a SNMP request can consist of multiple parts, which the cmd callback stages into a kernel buffer until all parts have been received. If the callback detects that the staging buffer provides insufficient space, it bails out with error. This processing is buggy for the first part of the response - while it initially checks for a length of 'data_len', it later copies an additional amount of 'offsetof(struct qeth_snmp_cmd, data)' bytes. Fix the calculation of 'data_len' for the first part of the response. This also nicely cleans up the memcpy code. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Julian Wiedmann Reviewed-by: Ursula Braun Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- drivers/s390/net/qeth_core_main.c | 27 ++++++++++++--------------- 1 file changed, 12 insertions(+), 15 deletions(-) --- a/drivers/s390/net/qeth_core_main.c +++ b/drivers/s390/net/qeth_core_main.c @@ -4524,8 +4524,8 @@ static int qeth_snmp_command_cb(struct q { struct qeth_ipa_cmd *cmd; struct qeth_arp_query_info *qinfo; - struct qeth_snmp_cmd *snmp; unsigned char *data; + void *snmp_data; __u16 data_len; QETH_CARD_TEXT(card, 3, "snpcmdcb"); @@ -4533,7 +4533,6 @@ static int qeth_snmp_command_cb(struct q cmd = (struct qeth_ipa_cmd *) sdata; data = (unsigned char *)((char *)cmd - reply->offset); qinfo = (struct qeth_arp_query_info *) reply->param; - snmp = &cmd->data.setadapterparms.data.snmp; if (cmd->hdr.return_code) { QETH_CARD_TEXT_(card, 4, "scer1%x", cmd->hdr.return_code); @@ -4546,10 +4545,15 @@ static int qeth_snmp_command_cb(struct q return 0; } data_len = *((__u16 *)QETH_IPA_PDU_LEN_PDU1(data)); - if (cmd->data.setadapterparms.hdr.seq_no == 1) - data_len -= (__u16)((char *)&snmp->data - (char *)cmd); - else - data_len -= (__u16)((char *)&snmp->request - (char *)cmd); + if (cmd->data.setadapterparms.hdr.seq_no == 1) { + snmp_data = &cmd->data.setadapterparms.data.snmp; + data_len -= offsetof(struct qeth_ipa_cmd, + data.setadapterparms.data.snmp); + } else { + snmp_data = &cmd->data.setadapterparms.data.snmp.request; + data_len -= offsetof(struct qeth_ipa_cmd, + data.setadapterparms.data.snmp.request); + } /* check if there is enough room in userspace */ if ((qinfo->udata_len - qinfo->udata_offset) < data_len) { @@ -4562,16 +4566,9 @@ static int qeth_snmp_command_cb(struct q QETH_CARD_TEXT_(card, 4, "sseqn%i", cmd->data.setadapterparms.hdr.seq_no); /*copy entries to user buffer*/ - if (cmd->data.setadapterparms.hdr.seq_no == 1) { - memcpy(qinfo->udata + qinfo->udata_offset, - (char *)snmp, - data_len + offsetof(struct qeth_snmp_cmd, data)); - qinfo->udata_offset += offsetof(struct qeth_snmp_cmd, data); - } else { - memcpy(qinfo->udata + qinfo->udata_offset, - (char *)&snmp->request, data_len); - } + memcpy(qinfo->udata + qinfo->udata_offset, snmp_data, data_len); qinfo->udata_offset += data_len; + /* check if all replies received ... */ QETH_CARD_TEXT_(card, 4, "srtot%i", cmd->data.setadapterparms.hdr.used_total);