ctcm: avoid wraparound in length of incoming data

Since the receive code should tolerate any incoming garbage, it should be protected against a potential wraparound when manipulating length values within incoming data. block_len is unsigned, so a too large subtraction will cause a wraparound. Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Roel Kluin <roel.kluin@gmail.com> 2009-03-24 03:27:48 +0000
committer: David S. Miller <davem@davemloft.net> 2009-03-24 15:24:30 -0700
commit: fb8585fc3f9b39153e0bdaf03f00a02dde9c03c6 (patch)
tree: 7097afe2b7adc07f38457549a1e89701153ecae9 /drivers/s390/net/ctcm_main.c
parent: 3a05d1404d91efd63f0654a4bf59b8803c32efdd (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/s390/net/ctcm_main.c b/drivers/s390/net/ctcm_main.c
index 59ce7fb7308..a7a25383db7 100644
--- a/drivers/s390/net/ctcm_main.c
+++ b/drivers/s390/net/ctcm_main.c
@@ -105,7 +105,8 @@ void ctcm_unpack_skb(struct channel *ch, struct sk_buff *pskb)
 			return;
 		}
 		pskb->protocol = ntohs(header->type);
-		if (header->length <= LL_HEADER_LENGTH) {
+		if ((header->length <= LL_HEADER_LENGTH) ||
+		    (len <= LL_HEADER_LENGTH)) {
 			if (!(ch->logflags & LOG_FLAG_ILLEGALSIZE)) {
 				CTCM_DBF_TEXT_(ERROR, CTC_DBF_ERROR,
 					"%s(%s): Illegal packet size %d(%d,%d)"
author	Roel Kluin <roel.kluin@gmail.com>	2009-03-24 03:27:48 +0000
committer	David S. Miller <davem@davemloft.net>	2009-03-24 15:24:30 -0700
commit	fb8585fc3f9b39153e0bdaf03f00a02dde9c03c6 (patch)
tree	7097afe2b7adc07f38457549a1e89701153ecae9 /drivers/s390/net/ctcm_main.c
parent	3a05d1404d91efd63f0654a4bf59b8803c32efdd (diff)