Imported from https://chromium.googlesource.com/chromiumos/third_party/kernel/+/
e1aaf7ec008a97311867f0a7d0418e4693fecfd4%5E%21/#F0
Signed-off-by: Pavel Kubelun <be.dissent@gmail.com>
CHROMIUM: net: ar8216: address security vulnerabilities in swconfig & ar8216
This patch does the following changes:
*address the security vulnerabilities in both swconfig framework and in
ar8216 driver (many bound check additions, and turned swconfig structure
signed element into unsigned when applicable)
*address a couple of whitespaces and indendation issues
BUG=chrome-os-partner:33096
TEST=none
Change-Id: I94ea78fcce8c1932cc584d1508c6e3b5dfb93ce9
Signed-off-by: Mathieu Olivari <mathieu@codeaurora.org>
Reviewed-on: https://chromium-review.googlesource.com/236490
Reviewed-by: Toshi Kikuchi <toshik@chromium.org>
Commit-Queue: Toshi Kikuchi <toshik@chromium.org>
Tested-by: Toshi Kikuchi <toshik@chromium.org>
if ((buf[12 + 2] != 0x81) || (buf[13 + 2] != 0x00))
return;
if ((buf[12 + 2] != 0x81) || (buf[13 + 2] != 0x00))
return;
/* no need to fix up packets coming from a tagged source */
if (priv->vlan_tagged & (1 << port))
/* no need to fix up packets coming from a tagged source */
if (priv->vlan_tagged & (1 << port))
/* make sure no invalid PVIDs get set */
/* make sure no invalid PVIDs get set */
- if (vlan >= dev->vlans)
+ if (vlan < 0 || vlan >= dev->vlans ||
+ port < 0 || port >= AR8X16_MAX_PORTS)
return -EINVAL;
priv->pvid[port] = vlan;
return -EINVAL;
priv->pvid[port] = vlan;
ar8xxx_sw_get_pvid(struct switch_dev *dev, int port, int *vlan)
{
struct ar8xxx_priv *priv = swdev_to_ar8xxx(dev);
ar8xxx_sw_get_pvid(struct switch_dev *dev, int port, int *vlan)
{
struct ar8xxx_priv *priv = swdev_to_ar8xxx(dev);
+
+ if (port < 0 || port >= AR8X16_MAX_PORTS)
+ return -EINVAL;
+
*vlan = priv->pvid[port];
return 0;
}
*vlan = priv->pvid[port];
return 0;
}
struct switch_val *val)
{
struct ar8xxx_priv *priv = swdev_to_ar8xxx(dev);
struct switch_val *val)
{
struct ar8xxx_priv *priv = swdev_to_ar8xxx(dev);
+
+ if (val->port_vlan >= AR8X16_MAX_PORTS)
+ return -EINVAL;
+
priv->vlan_id[val->port_vlan] = val->value.i;
return 0;
}
priv->vlan_id[val->port_vlan] = val->value.i;
return 0;
}
ar8xxx_sw_get_ports(struct switch_dev *dev, struct switch_val *val)
{
struct ar8xxx_priv *priv = swdev_to_ar8xxx(dev);
ar8xxx_sw_get_ports(struct switch_dev *dev, struct switch_val *val)
{
struct ar8xxx_priv *priv = swdev_to_ar8xxx(dev);
- u8 ports = priv->vlan_table[val->port_vlan];
+ if (val->port_vlan >= AR8X16_MAX_VLANS)
+ return -EINVAL;
+
+ ports = priv->vlan_table[val->port_vlan];
val->len = 0;
for (i = 0; i < dev->ports; i++) {
struct switch_port *p;
val->len = 0;
for (i = 0; i < dev->ports; i++) {
struct switch_port *p;
struct ar8xxx_priv *priv = swdev_to_ar8xxx(dev);
const struct ar8xxx_chip *chip = priv->chip;
u64 *mib_stats, mib_data;
struct ar8xxx_priv *priv = swdev_to_ar8xxx(dev);
const struct ar8xxx_chip *chip = priv->chip;
u64 *mib_stats, mib_data;
int ret;
char *buf = priv->buf;
char buf1[64];
int ret;
char *buf = priv->buf;
char buf1[64];
struct genlmsghdr *hdr = nlmsg_data(info->nlhdr);
const struct switch_attrlist *alist;
const struct switch_attr *attr = NULL;
struct genlmsghdr *hdr = nlmsg_data(info->nlhdr);
const struct switch_attrlist *alist;
const struct switch_attr *attr = NULL;
/* defaults */
struct switch_attr *def_list;
/* defaults */
struct switch_attr *def_list;
val->len = 0;
nla_for_each_nested(nla, head, rem) {
struct nlattr *tb[SWITCH_PORT_ATTR_MAX+1];
val->len = 0;
nla_for_each_nested(nla, head, rem) {
struct nlattr *tb[SWITCH_PORT_ATTR_MAX+1];
- struct switch_port *port = &val->value.ports[val->len];
+ struct switch_port *port;
if (val->len >= max)
return -EINVAL;
if (val->len >= max)
return -EINVAL;
+ port = &val->value.ports[val->len];
+
if (nla_parse_nested(tb, SWITCH_PORT_ATTR_MAX, nla,
port_policy))
return -EINVAL;
if (nla_parse_nested(tb, SWITCH_PORT_ATTR_MAX, nla,
port_policy))
return -EINVAL;
+ /* Make sure swdev_id doesn't overflow */
+ if (swdev_id == INT_MAX) {
+ return -ENOMEM;
+ }
+
if (dev->ports > 0) {
dev->portbuf = kzalloc(sizeof(struct switch_port) *
dev->ports, GFP_KERNEL);
if (dev->ports > 0) {
dev->portbuf = kzalloc(sizeof(struct switch_port) *
dev->ports, GFP_KERNEL);
module_init(swconfig_init);
module_exit(swconfig_exit);
module_init(swconfig_init);
module_exit(swconfig_exit);
const char *alias;
struct net_device *netdev;
const char *alias;
struct net_device *netdev;
- int ports;
- int vlans;
- int cpu_port;
+ unsigned int ports;
+ unsigned int vlans;
+ unsigned int cpu_port;
/* the following fields are internal for swconfig */
/* the following fields are internal for swconfig */
struct list_head dev_list;
unsigned long def_global, def_port, def_vlan;
struct list_head dev_list;
unsigned long def_global, def_port, def_vlan;
struct switch_val {
const struct switch_attr *attr;
struct switch_val {
const struct switch_attr *attr;
- int port_vlan;
- int len;
+ unsigned int port_vlan;
+ unsigned int len;
union {
const char *s;
u32 i;
union {
const char *s;
u32 i;
projects / openwrt / staging / yousong.git / commitdiff