Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp846392imu; Tue, 11 Dec 2018 08:26:46 -0800 (PST) X-Google-Smtp-Source: AFSGD/XdofmTIVTxAlfQ8zgGSm4hPUfvfIC32EdhH2umBaBUyRXhE/1rKxPILQK0SvRxDU01JWLf X-Received: by 2002:a62:7504:: with SMTP id q4mr16618665pfc.180.1544545606215; Tue, 11 Dec 2018 08:26:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544545606; cv=none; d=google.com; s=arc-20160816; b=sJ2dToIb5Qu3oUOk56EoQm7F+cgAK78xOr+3ulLiwMgjzW+NjljkvQdNqHyZpHp5ji OrGf81zoMk1rNycaVeS2zYEECbr8SdA1w5m2LOmj2XvtVTXliqRwa7mVbv6PKkDKPl/U K1qikEQO/UNJByESnwA4LVBNSaOsfpUSTrQ4Lni3Swjd5pXE95QVIx1ojE6Ko0o9Eelz /OsS0IlSzb3MvR9bcFz/JfQQ6gaXAW/dVKp9CNpqoaTNAe5p04+e9qQCVhR2ianJS0Y4 llHTBsQOVL4DwaGGm6KcQMNFR8IlDrPnsT1Nt7xDtq9J5O39tpoAEqwG6x0gI2gWaBQy 83vA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=IUGfkBgayI9sllsjdI2x4xoQ0ikKGkVs6uMPNistDtg=; b=PzRQoFWsnshAeQPK5fhv6j/2b/HGzk3wVM6OMhZaVKHgRPSeowc+JRuOD3UCG1BWDh vVPzj04KaYkEZHufYJPu2ju+Hh5BecK0zcPDIeW6EvYC8lJM8GdplbhN+23YgjMaZY3w 56UKzTwo3CbafEknNeqxyZ3OQ0XQCP3l8KFZ+s5O8viwBiP1rJQM0sbwheRjHFx0Yvbj cIWs/hXRcoCOjjD4/PCRaTMrg5mvtM2uha2xJlsWNcv7WsUkLbYKD6PPQ1B3fbFl1yem ayCPCHrlBevq16pSiodWf+vRarBwvi42jvC5+W0wSS/7KnR3ZGkqiXY9qXKiCVvjK5cc fUpQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=qgAiP+UA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a12si13250381pll.112.2018.12.11.08.26.31; Tue, 11 Dec 2018 08:26:46 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=qgAiP+UA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727274AbeLKPmh (ORCPT + 99 others); Tue, 11 Dec 2018 10:42:37 -0500 Received: from mail.kernel.org ([198.145.29.99]:58922 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727263AbeLKPme (ORCPT ); Tue, 11 Dec 2018 10:42:34 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id F412020672; Tue, 11 Dec 2018 15:42:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1544542953; bh=NadqNZpm5Jfi5A8+/vBUrMuR0JPbQ0U46WI8ggTOlrU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=qgAiP+UAqo76BV95zc0SX1WCUhn98jzvbqvfKfVe6JdGflB6jxh1xrs3l0kmtWqR3 TvtACKQdA7fqsVtYnZaVciSTbhg0P9XYRXEn/XE0j/hqwoEBia5H+IaJyZf1MjqRF3 jtnviCcvOHXRaTtKjc75FTNdkIdKcSfXCoN61nZY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Julian Wiedmann , Ursula Braun , "David S. Miller" Subject: [PATCH 3.18 03/54] s390/qeth: fix length check in SNMP processing Date: Tue, 11 Dec 2018 16:40:51 +0100 Message-Id: <20181211151546.202527983@linuxfoundation.org> X-Mailer: git-send-email 2.20.0 In-Reply-To: <20181211151546.010073210@linuxfoundation.org> References: <20181211151546.010073210@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Julian Wiedmann [ Upstream commit 9a764c1e59684c0358e16ccaafd870629f2cfe67 ] The response for a SNMP request can consist of multiple parts, which the cmd callback stages into a kernel buffer until all parts have been received. If the callback detects that the staging buffer provides insufficient space, it bails out with error. This processing is buggy for the first part of the response - while it initially checks for a length of 'data_len', it later copies an additional amount of 'offsetof(struct qeth_snmp_cmd, data)' bytes. Fix the calculation of 'data_len' for the first part of the response. This also nicely cleans up the memcpy code. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Julian Wiedmann Reviewed-by: Ursula Braun Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- drivers/s390/net/qeth_core_main.c | 27 ++++++++++++--------------- 1 file changed, 12 insertions(+), 15 deletions(-) --- a/drivers/s390/net/qeth_core_main.c +++ b/drivers/s390/net/qeth_core_main.c @@ -4496,8 +4496,8 @@ static int qeth_snmp_command_cb(struct q { struct qeth_ipa_cmd *cmd; struct qeth_arp_query_info *qinfo; - struct qeth_snmp_cmd *snmp; unsigned char *data; + void *snmp_data; __u16 data_len; QETH_CARD_TEXT(card, 3, "snpcmdcb"); @@ -4505,7 +4505,6 @@ static int qeth_snmp_command_cb(struct q cmd = (struct qeth_ipa_cmd *) sdata; data = (unsigned char *)((char *)cmd - reply->offset); qinfo = (struct qeth_arp_query_info *) reply->param; - snmp = &cmd->data.setadapterparms.data.snmp; if (cmd->hdr.return_code) { QETH_CARD_TEXT_(card, 4, "scer1%i", cmd->hdr.return_code); @@ -4518,10 +4517,15 @@ static int qeth_snmp_command_cb(struct q return 0; } data_len = *((__u16 *)QETH_IPA_PDU_LEN_PDU1(data)); - if (cmd->data.setadapterparms.hdr.seq_no == 1) - data_len -= (__u16)((char *)&snmp->data - (char *)cmd); - else - data_len -= (__u16)((char *)&snmp->request - (char *)cmd); + if (cmd->data.setadapterparms.hdr.seq_no == 1) { + snmp_data = &cmd->data.setadapterparms.data.snmp; + data_len -= offsetof(struct qeth_ipa_cmd, + data.setadapterparms.data.snmp); + } else { + snmp_data = &cmd->data.setadapterparms.data.snmp.request; + data_len -= offsetof(struct qeth_ipa_cmd, + data.setadapterparms.data.snmp.request); + } /* check if there is enough room in userspace */ if ((qinfo->udata_len - qinfo->udata_offset) < data_len) { @@ -4534,16 +4538,9 @@ static int qeth_snmp_command_cb(struct q QETH_CARD_TEXT_(card, 4, "sseqn%i", cmd->data.setadapterparms.hdr.seq_no); /*copy entries to user buffer*/ - if (cmd->data.setadapterparms.hdr.seq_no == 1) { - memcpy(qinfo->udata + qinfo->udata_offset, - (char *)snmp, - data_len + offsetof(struct qeth_snmp_cmd, data)); - qinfo->udata_offset += offsetof(struct qeth_snmp_cmd, data); - } else { - memcpy(qinfo->udata + qinfo->udata_offset, - (char *)&snmp->request, data_len); - } + memcpy(qinfo->udata + qinfo->udata_offset, snmp_data, data_len); qinfo->udata_offset += data_len; + /* check if all replies received ... */ QETH_CARD_TEXT_(card, 4, "srtot%i", cmd->data.setadapterparms.hdr.used_total);