On Wed, May 27, 2020 at 11:48 AM Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote: > > The problem is that we always copy a minimum of ETH_ZLEN (60) bytes from > skb->data even when skb->len is less than ETH_ZLEN so it leads to a read > overflow. > > The fix is to pad skb->data to at least ETH_ZLEN bytes. > > Cc: <stable@xxxxxxxxxxxxxxx> > Reported-by: Hu Jiahui <kirin.say@xxxxxxxxx> > Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> > --- > v2: remove an unnecessary if statement > increment the ->tx_dropped count on failure > fix found two more instances of the same bug. > fix typo in the "Cc: <stable@xxxxxxxxxxxxxxx>" tag > v3: I had thought that skb_padto() updated skb->len so that it would > always be more than ETH_ZLEN meaning that we could delete the checks > for smaller values: "len = skb->len < ETH_ZLEN ? ETH_ZLEN : skb->len;" > But I was wrong and those are still required. > > drivers/net/wireless/cisco/airo.c | 12 ++++++++++++ > 1 file changed, 12 insertions(+) > Reviewed-by: Eric Dumazet <edumazet@xxxxxxxxxx>
