Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp8106376imu; Tue, 4 Dec 2018 03:06:43 -0800 (PST) X-Google-Smtp-Source: AFSGD/W0/toZkcCLBo/3AhfjerZMqjJg5yHcMRTppHQITm1be/L1pC3QfB56HDyHUKH9qoOWDl7G X-Received: by 2002:a62:d148:: with SMTP id t8mr20082814pfl.52.1543921602885; Tue, 04 Dec 2018 03:06:42 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543921602; cv=none; d=google.com; s=arc-20160816; b=UjtBRb3DGheZaFZPn249LRU2LSDl6LGpS9xY7i3vQP7VX7MTYsmgtmEIr1iSNCXRSM QJ/j68e8yZciYq7YImx9UrhRJUCFx9ePh+EzVt94zQUFGZ/7sEeCipIsP8SS51xUZfzR 5Bh8xANsL6fndaesAZFPtZ1b4TX784F+tmWEucXMLsF/O8gc348D3GLc7jCJ/lqL2Tas T57x2i5OUqR5kMhL5NpGi7FAh1y8xtU5OOOH9/PT0/uAT7P4iFNE6FcxKSMYplpxUYg3 Ypt93Mp50wT4ZNLAMWX317vRiLsMfInND9RAghiR4b92ju1vRMERPg2wOAnOJ2OFs0N9 CSQQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=fdLZXB5RiD9TiSE+f32dqs/NfCK3GFiNBgKzVEcR+BU=; b=fEDSw2WEEJjqGAG0hcFz+ll8tpZXesDuMaj6eOG0c+AzgfZtot7hNLmD2XqdeK4VzQ XLnvmoU3KgQCk4tZPqfpyj71di+4a8h1uWBGaw5Uiw82eYegwe1YvHgFuDuCTLpXiBGr TWrCuLMkRmuv7BjCRjXF9FU5TmxTNyF5Num2HyYRO6rGELIJ6q0gfvC47/XE6F4mODjT rpcmMk1qUU3CbpF6hhs5vWp6vFGHnFcfJeTTIChEgKJOO3Fv9ZxL+QNrDsFjKvwurBxw 8whejgCNAoD834ZGasc2U8Oi5mRD/o94Ce70Rw0xh/AjNrae504odhLSY60zDm5Bn6d0 +ooA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=iDCpn2BG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 1si4690112plr.189.2018.12.04.03.06.23; Tue, 04 Dec 2018 03:06:42 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=iDCpn2BG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728123AbeLDLFT (ORCPT + 99 others); Tue, 4 Dec 2018 06:05:19 -0500 Received: from mail.kernel.org ([198.145.29.99]:52948 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728110AbeLDLFQ (ORCPT ); Tue, 4 Dec 2018 06:05:16 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 307152087F; Tue, 4 Dec 2018 11:05:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1543921515; bh=wAFF1UQSoLEdmak3vS/VwrzUiHOQpFPzTOJp8cDx+2U=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=iDCpn2BGdnSe2Qv8BtzUfssADK7Yjv0U+ax5EETZbWWUdjuPT7sqE+/5YlHvqjo7W H8tNDPR0OFjRhfWKth0x1WYx9aXNymy78zrESVLg+Hf6ecxSBNUqdtURIZg0ie8JUz pzEaLuoWoEShufnt39Xtz7+NPtEUnYXmM2h2O38o= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Julian Wiedmann , Ursula Braun , "David S. Miller" Subject: [PATCH 4.14 066/146] s390/qeth: fix length check in SNMP processing Date: Tue, 4 Dec 2018 11:49:12 +0100 Message-Id: <20181204103729.496200561@linuxfoundation.org> X-Mailer: git-send-email 2.19.2 In-Reply-To: <20181204103726.750894136@linuxfoundation.org> References: <20181204103726.750894136@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Julian Wiedmann [ Upstream commit 9a764c1e59684c0358e16ccaafd870629f2cfe67 ] The response for a SNMP request can consist of multiple parts, which the cmd callback stages into a kernel buffer until all parts have been received. If the callback detects that the staging buffer provides insufficient space, it bails out with error. This processing is buggy for the first part of the response - while it initially checks for a length of 'data_len', it later copies an additional amount of 'offsetof(struct qeth_snmp_cmd, data)' bytes. Fix the calculation of 'data_len' for the first part of the response. This also nicely cleans up the memcpy code. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Julian Wiedmann Reviewed-by: Ursula Braun Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- drivers/s390/net/qeth_core_main.c | 27 ++++++++++++--------------- 1 file changed, 12 insertions(+), 15 deletions(-) --- a/drivers/s390/net/qeth_core_main.c +++ b/drivers/s390/net/qeth_core_main.c @@ -4545,8 +4545,8 @@ static int qeth_snmp_command_cb(struct q { struct qeth_ipa_cmd *cmd; struct qeth_arp_query_info *qinfo; - struct qeth_snmp_cmd *snmp; unsigned char *data; + void *snmp_data; __u16 data_len; QETH_CARD_TEXT(card, 3, "snpcmdcb"); @@ -4554,7 +4554,6 @@ static int qeth_snmp_command_cb(struct q cmd = (struct qeth_ipa_cmd *) sdata; data = (unsigned char *)((char *)cmd - reply->offset); qinfo = (struct qeth_arp_query_info *) reply->param; - snmp = &cmd->data.setadapterparms.data.snmp; if (cmd->hdr.return_code) { QETH_CARD_TEXT_(card, 4, "scer1%x", cmd->hdr.return_code); @@ -4567,10 +4566,15 @@ static int qeth_snmp_command_cb(struct q return 0; } data_len = *((__u16 *)QETH_IPA_PDU_LEN_PDU1(data)); - if (cmd->data.setadapterparms.hdr.seq_no == 1) - data_len -= (__u16)((char *)&snmp->data - (char *)cmd); - else - data_len -= (__u16)((char *)&snmp->request - (char *)cmd); + if (cmd->data.setadapterparms.hdr.seq_no == 1) { + snmp_data = &cmd->data.setadapterparms.data.snmp; + data_len -= offsetof(struct qeth_ipa_cmd, + data.setadapterparms.data.snmp); + } else { + snmp_data = &cmd->data.setadapterparms.data.snmp.request; + data_len -= offsetof(struct qeth_ipa_cmd, + data.setadapterparms.data.snmp.request); + } /* check if there is enough room in userspace */ if ((qinfo->udata_len - qinfo->udata_offset) < data_len) { @@ -4583,16 +4587,9 @@ static int qeth_snmp_command_cb(struct q QETH_CARD_TEXT_(card, 4, "sseqn%i", cmd->data.setadapterparms.hdr.seq_no); /*copy entries to user buffer*/ - if (cmd->data.setadapterparms.hdr.seq_no == 1) { - memcpy(qinfo->udata + qinfo->udata_offset, - (char *)snmp, - data_len + offsetof(struct qeth_snmp_cmd, data)); - qinfo->udata_offset += offsetof(struct qeth_snmp_cmd, data); - } else { - memcpy(qinfo->udata + qinfo->udata_offset, - (char *)&snmp->request, data_len); - } + memcpy(qinfo->udata + qinfo->udata_offset, snmp_data, data_len); qinfo->udata_offset += data_len; + /* check if all replies received ... */ QETH_CARD_TEXT_(card, 4, "srtot%i", cmd->data.setadapterparms.hdr.used_total);