Received: by 2002:a25:ef43:0:0:0:0:0 with SMTP id w3csp538923ybm; Thu, 28 May 2020 08:57:02 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwLCDTSzOfFBTho09MAoyBdAfkbAV2hExVWzuo8khBRpbnJYSr4qk7vVPMbE8BkJorVAndY X-Received: by 2002:a17:906:3a0d:: with SMTP id z13mr3591367eje.122.1590681422243; Thu, 28 May 2020 08:57:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1590681422; cv=none; d=google.com; s=arc-20160816; b=fXuKP1SzR4KsW8T4zAT0D9Laa6vD/xgb9xJ7tcl0R6fJjPDqWPE+YDnOdgeTB0kJwb t4LQ440pSVGHy0gkzUURqlvWKwsCcF2YxZo7WtRCOI+u4dcEwxbmlHvd5iNf1U+XG8/v EdSFZQ6BQlzkD1M/qnwBf38gYSBnJNDFuMrgPPr4n3I8IJxAvcq2qq+enp0tIRb6Z9qa Wpb41CaIXXDwhcU0dB7din7wA6O/vWhoPH0DfQ9YMlhJbEo6Ss3EyDTWJctqKKcgszbI /SC8OoPSrjzEcZbKchW+MNqZieQNmx/3zr3V5RwJVruQyW06qeJr6GPjORBUFp4qrl3P 1tfg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=VEmAX536cEKY0/3WcgFeUZpRguWTw2eheRjri6Y8rOM=; b=kjU0hURvz0S7K2Xw9cCmwBDZOHJQUPtVxPZ5vq34p3B6ZPssdyKYOnYAspJ28yH9bk h0ePoBJPLUNBehITG70VOmZKD9EMUmIN465lzsO4uSKwyO+6pG4KlS/clzIo1tKU+O4a lHcepP8cRC5baffVEclQYQKkLBQXraCX33VuTAFt850hxWCQA2EZeB6oeOXyeErjSu1m qNeNSzo/yRDYb3XbDpgavX9xvwa8Yi19D0XU2bUnUhqu5RXHjQlzVjj5STNyKM7tvFKC hdMKmXVxgunHlhtosLySb8jQ19L78uKv9GwmZ+ANiGciL/8bgWluKROM40F/l9hn2Y7t d9Ug== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="heafo/yd"; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d1si4081069ejb.134.2020.05.28.08.56.37; Thu, 28 May 2020 08:57:02 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="heafo/yd"; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2404825AbgE1PzW (ORCPT + 99 others); Thu, 28 May 2020 11:55:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55560 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2404819AbgE1PzU (ORCPT ); Thu, 28 May 2020 11:55:20 -0400 Received: from mail-yb1-xb43.google.com (mail-yb1-xb43.google.com [IPv6:2607:f8b0:4864:20::b43]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6BA88C08C5C6 for ; Thu, 28 May 2020 08:55:20 -0700 (PDT) Received: by mail-yb1-xb43.google.com with SMTP id b62so268115ybh.8 for ; Thu, 28 May 2020 08:55:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=VEmAX536cEKY0/3WcgFeUZpRguWTw2eheRjri6Y8rOM=; b=heafo/ydFo5dc8vjHOTX8YSQ7sK2rjhJY4tXG8ZH2P2NP/sJIWKzQ5Ptpis835p8LR gRZ0/38aFQd7EU2+aTcJG2obAITuLyrttJSQUMNDw/CkIii1j6nyCe4PwSYdU1dA//Su lDvPBmd3nKQbPGadZT2nkIExgpWwliIvVwIYk2VfmddAJ0tAfE0mAFNFcMYZRJVY/jiM fjZlJgJAF0uounWB7JXzhPll8UB36R2QE/M4AL2vnXCZqzl0l7In9vz4r9HXGEeF1vgn gvivH3bxVgf0RruN/4edh2qW4qDZ36uq5zZOtrFytBp7wDK46hQWYefJhKMJ0LgtVPKI ikfQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=VEmAX536cEKY0/3WcgFeUZpRguWTw2eheRjri6Y8rOM=; b=hW/imiL309ntVih1RPrmAr0DQvVHPCubCURj+EJ1oxrpvr7kD78JAMo5+ZFC7mxW8m Tyq1lfMR5LVnZJpOh7dqdDtO1f5J77OtwdWxO7PtHRfCPeB0AqrD6sSYVUWPpYMoUXXP 0eApNWfO1FFjoSVIDJ1Xqyhl6/JdUM4RCq4zk9VMCfYk9WH6EiXXzu4cocP5bnPC/YUJ 4HBye4QZK87P5NBFq3WPtnZ8fyqoKv1WwS9L5fGKt8CFpD7Fw1dy/cwrNcZNv6d2CCdr Em2HCPzg4T2GcQWACPuLWG4hetk2V0KAwC46HSG6EkFLj+ejCfYnkOO2kDwkcu18fBeo ToBA== X-Gm-Message-State: AOAM533bAn6tdYH8RdbpEXoqkiSGwWNpqkEXix1wFT8utMMdbLK3efsk RwjerUvitdtA2HokIl0BHdHGfSC6FfdMPoaGpcdS20SU X-Received: by 2002:a25:4cc4:: with SMTP id z187mr6577880yba.274.1590681319118; Thu, 28 May 2020 08:55:19 -0700 (PDT) MIME-Version: 1.0 References: <20200527184830.GA1164846@mwanda> In-Reply-To: <20200527184830.GA1164846@mwanda> From: Eric Dumazet Date: Thu, 28 May 2020 08:55:07 -0700 Message-ID: Subject: Re: [PATCH v3] airo: Fix read overflows sending packets To: Dan Carpenter Cc: Kalle Valo , Hu Jiahui , Security Officers , linux-wireless@vger.kernel.org, Jakub Kicinski Content-Type: text/plain; charset="UTF-8" Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org On Wed, May 27, 2020 at 11:48 AM Dan Carpenter wrote: > > The problem is that we always copy a minimum of ETH_ZLEN (60) bytes from > skb->data even when skb->len is less than ETH_ZLEN so it leads to a read > overflow. > > The fix is to pad skb->data to at least ETH_ZLEN bytes. > > Cc: > Reported-by: Hu Jiahui > Signed-off-by: Dan Carpenter > --- > v2: remove an unnecessary if statement > increment the ->tx_dropped count on failure > fix found two more instances of the same bug. > fix typo in the "Cc: " tag > v3: I had thought that skb_padto() updated skb->len so that it would > always be more than ETH_ZLEN meaning that we could delete the checks > for smaller values: "len = skb->len < ETH_ZLEN ? ETH_ZLEN : skb->len;" > But I was wrong and those are still required. > > drivers/net/wireless/cisco/airo.c | 12 ++++++++++++ > 1 file changed, 12 insertions(+) > Reviewed-by: Eric Dumazet