Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp8114720imu;
        Tue, 4 Dec 2018 03:15:09 -0800 (PST)
X-Google-Smtp-Source: AFSGD/VQiLJCUvRT9Fx1tqu5rqjLQ8T1XpE03aeHR30RwMrD3l2K2+edJfESz7Bmf/meByLoN85H
X-Received: by 2002:a17:902:a58a:: with SMTP id az10mr20258698plb.151.1543922109673;
        Tue, 04 Dec 2018 03:15:09 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1543922109; cv=none;
        d=google.com; s=arc-20160816;
        b=kgqCoPFuM2+RJOPAhcgjWEzkbRy7VT+7mEbwdtgjJIGibqo562C+ohdoltDSajvpmk
         i7F4nontAvU+hP4qMOcJT7Qct5feHkOCgAHlTWp2uRSMYw1JBBmy1QIzACqiIaUCrkGP
         wz1+m2s5JL2iScX6MQMjE5dXJbTUomKQ67Z0DFNGhgbp04EdQOJLiBQQwYRZtmHyBb2W
         Enut4hOmw9644DYiGnsQX2w2o8tbycT+y/JUo+TTN1F42rtbV8qAhF3D1AdJl5n3L+iX
         hUTxR+VfrJWqODlk4GSvTXdrbYzPzbEeHUCNzYHREe4IVBBoFrP46ZplKLiLpzMyUqWm
         pbZQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=DL0qkrhPCifcfpjdqplB5yGMVN+04jpaZv/5qO9byoM=;
        b=f6B5VvjoLV9ECkpeQx2sjwEjODXvx6gryR4zR7wSzYieh1GAp7i1KIamUjZp3e0Q8D
         PLobYnj2mhs+VHdfsMHPqCJ0+sqe6ea1eRkPaib+1GC7g8bmlFAU3GqHOMlasH+bqxhP
         OYtw0mXjaSAlCgXy8RCJJEfI6XevZwp8P29CItu0DrZVm4EIFzuEplH/GP9xHv30rvpb
         5LG9ztiS9SySCYNVrvDCmgZJIzFaCUjhQMd4cqDWydq0UUeI+DSekizz/QZgUtSqQmCn
         0668zY54DsPkTuYG/1BqO4Y5HBXc2mFce+Hz10ZYS0IBWR1mfpGl2WPlQ9IIyx8/QWkb
         t5ag==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=iu9uYUUx;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 1si17806493pls.16.2018.12.04.03.14.54;
        Tue, 04 Dec 2018 03:15:09 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=iu9uYUUx;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728178AbeLDLNB (ORCPT <rfc822;zzmahb@gmail.com> + 99 others);
        Tue, 4 Dec 2018 06:13:01 -0500
Received: from mail.kernel.org ([198.145.29.99]:57184 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1728291AbeLDLH5 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 4 Dec 2018 06:07:57 -0500
Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 1E6A821508;
        Tue,  4 Dec 2018 11:07:55 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1543921676;
        bh=GoboURjexvi6gKCzNk+CFED69yvZpiHBjc4xjafzRf8=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=iu9uYUUxMX3hrbt8vXpGh1dNlOTlsYKeF2xrYZf3hyzLaAdAUqKnkCxJeasqSu7eK
         V+wgwtBFF8F/1Vws2XNBrQcMxMJKe0P/DPOFMRvLXt/dbtERPOD08SQgfM7GORsWbJ
         JzVJR93kr8s9qotvCA12la3ZGBFL17KWaOy8jgac=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Julian Wiedmann <jwi@linux.ibm.com>,
        Ursula Braun <ubraun@linux.ibm.com>,
        "David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.9 17/50] s390/qeth: fix length check in SNMP processing
Date:   Tue,  4 Dec 2018 11:50:12 +0100
Message-Id: <20181204103715.388327672@linuxfoundation.org>
X-Mailer: git-send-email 2.19.2
In-Reply-To: <20181204103714.485546262@linuxfoundation.org>
References: <20181204103714.485546262@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
X-Patchwork-Hint: ignore
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Julian Wiedmann <jwi@linux.ibm.com>

[ Upstream commit 9a764c1e59684c0358e16ccaafd870629f2cfe67 ]

The response for a SNMP request can consist of multiple parts, which
the cmd callback stages into a kernel buffer until all parts have been
received. If the callback detects that the staging buffer provides
insufficient space, it bails out with error.
This processing is buggy for the first part of the response - while it
initially checks for a length of 'data_len', it later copies an
additional amount of 'offsetof(struct qeth_snmp_cmd, data)' bytes.

Fix the calculation of 'data_len' for the first part of the response.
This also nicely cleans up the memcpy code.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
Reviewed-by: Ursula Braun <ubraun@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/s390/net/qeth_core_main.c |   27 ++++++++++++---------------
 1 file changed, 12 insertions(+), 15 deletions(-)

--- a/drivers/s390/net/qeth_core_main.c
+++ b/drivers/s390/net/qeth_core_main.c
@@ -4540,8 +4540,8 @@ static int qeth_snmp_command_cb(struct q
 {
 	struct qeth_ipa_cmd *cmd;
 	struct qeth_arp_query_info *qinfo;
-	struct qeth_snmp_cmd *snmp;
 	unsigned char *data;
+	void *snmp_data;
 	__u16 data_len;
 
 	QETH_CARD_TEXT(card, 3, "snpcmdcb");
@@ -4549,7 +4549,6 @@ static int qeth_snmp_command_cb(struct q
 	cmd = (struct qeth_ipa_cmd *) sdata;
 	data = (unsigned char *)((char *)cmd - reply->offset);
 	qinfo = (struct qeth_arp_query_info *) reply->param;
-	snmp = &cmd->data.setadapterparms.data.snmp;
 
 	if (cmd->hdr.return_code) {
 		QETH_CARD_TEXT_(card, 4, "scer1%x", cmd->hdr.return_code);
@@ -4562,10 +4561,15 @@ static int qeth_snmp_command_cb(struct q
 		return 0;
 	}
 	data_len = *((__u16 *)QETH_IPA_PDU_LEN_PDU1(data));
-	if (cmd->data.setadapterparms.hdr.seq_no == 1)
-		data_len -= (__u16)((char *)&snmp->data - (char *)cmd);
-	else
-		data_len -= (__u16)((char *)&snmp->request - (char *)cmd);
+	if (cmd->data.setadapterparms.hdr.seq_no == 1) {
+		snmp_data = &cmd->data.setadapterparms.data.snmp;
+		data_len -= offsetof(struct qeth_ipa_cmd,
+				     data.setadapterparms.data.snmp);
+	} else {
+		snmp_data = &cmd->data.setadapterparms.data.snmp.request;
+		data_len -= offsetof(struct qeth_ipa_cmd,
+				     data.setadapterparms.data.snmp.request);
+	}
 
 	/* check if there is enough room in userspace */
 	if ((qinfo->udata_len - qinfo->udata_offset) < data_len) {
@@ -4578,16 +4582,9 @@ static int qeth_snmp_command_cb(struct q
 	QETH_CARD_TEXT_(card, 4, "sseqn%i",
 		cmd->data.setadapterparms.hdr.seq_no);
 	/*copy entries to user buffer*/
-	if (cmd->data.setadapterparms.hdr.seq_no == 1) {
-		memcpy(qinfo->udata + qinfo->udata_offset,
-		       (char *)snmp,
-		       data_len + offsetof(struct qeth_snmp_cmd, data));
-		qinfo->udata_offset += offsetof(struct qeth_snmp_cmd, data);
-	} else {
-		memcpy(qinfo->udata + qinfo->udata_offset,
-		       (char *)&snmp->request, data_len);
-	}
+	memcpy(qinfo->udata + qinfo->udata_offset, snmp_data, data_len);
 	qinfo->udata_offset += data_len;
+
 	/* check if all replies received ... */
 		QETH_CARD_TEXT_(card, 4, "srtot%i",
 			       cmd->data.setadapterparms.hdr.used_total);