From: Rusty Russell Date: Sun, 13 Apr 2008 01:49:30 +0000 (-0700) Subject: net: check for underlength tap writes X-Git-Tag: firefly_0821_release~21643^2~18 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=e01bf1c83332c4653ffd30eed20a94a9c83d82b2;p=firefly-linux-kernel-4.4.55.git net: check for underlength tap writes If the user gives a packet under 14 bytes, we'll end up reading off the end of the skb (not oopsing, just reading off the end). Signed-off-by: Rusty Russell Acked-by: Max Krasnyanskiy Signed-off-by: David S. Miller --- diff --git a/drivers/net/tun.c b/drivers/net/tun.c index 970ec4793442..5b5d87585d91 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -286,8 +286,11 @@ static __inline__ ssize_t tun_get_user(struct tun_struct *tun, struct iovec *iv, return -EFAULT; } - if ((tun->flags & TUN_TYPE_MASK) == TUN_TAP_DEV) + if ((tun->flags & TUN_TYPE_MASK) == TUN_TAP_DEV) { align = NET_IP_ALIGN; + if (unlikely(len < ETH_HLEN)) + return -EINVAL; + } if (!(skb = alloc_skb(len + align, GFP_KERNEL))) { tun->dev->stats.rx_dropped++;