All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] ne.c 8139too.c to fix CERT VU#412115, 2.4.20
@ 2003-01-10 14:52 David McCullough
  2003-01-10 16:19 ` Alan Cox
  0 siblings, 1 reply; 2+ messages in thread
From: David McCullough @ 2003-01-10 14:52 UTC (permalink / raw)
  To: linux-kernel; +Cc: becker, jgarzik


Hi all,

Here's a patch for the ne2000 driver (ne.c) and the RealTek driver
(8139too.c) in the 2.4.20 kernel to fix the CERT vulnerability VU#412115:

	http://www.kb.cert.org/vuls/id/412115

For interest,  the smc9194 and FEC ethernet drivers appear to be ok.
Please CC me on any replies,

Cheers,
Davidm

--- linux-2.4.20/drivers/net/ne.c.orig	Sat Aug  3 10:39:44 2002
+++ linux-2.4.20/drivers/net/ne.c	Sat Jan 11 00:29:36 2003
@@ -623,6 +623,7 @@
 		const unsigned char *buf, const int start_page)
 {
 	int nic_base = NE_BASE;
+	int pad_count = count >= ETH_ZLEN ? count : ETH_ZLEN;
 	unsigned long dma_start;
 #ifdef NE_SANITY_CHECK
 	int retries = 0;
@@ -669,16 +670,22 @@
 	outb_p(ENISR_RDC, nic_base + EN0_ISR);
 
 	/* Now the normal output. */
-	outb_p(count & 0xff, nic_base + EN0_RCNTLO);
-	outb_p(count >> 8,   nic_base + EN0_RCNTHI);
+	outb_p(pad_count & 0xff, nic_base + EN0_RCNTLO);
+	outb_p(pad_count >> 8,   nic_base + EN0_RCNTHI);
 	outb_p(0x00, nic_base + EN0_RSARLO);
 	outb_p(start_page, nic_base + EN0_RSARHI);
 
 	outb_p(E8390_RWRITE+E8390_START, nic_base + NE_CMD);
 	if (ei_status.word16) {
 		outsw(NE_BASE + NE_DATAPORT, buf, count>>1);
+		while (count < pad_count) {
+			outw_p(0x00, NE_BASE + NE_DATAPORT);
+			count += 2;
+		}
 	} else {
 		outsb(NE_BASE + NE_DATAPORT, buf, count);
+		while (count++ < pad_count)
+			outb_p(0x00, NE_BASE + NE_DATAPORT);
 	}
 
 	dma_start = jiffies;


--- linux-2.4.20/drivers/net/8139too.c.orig	Fri Nov 29 09:53:13 2002
+++ linux-2.4.20/drivers/net/8139too.c	Sat Jan 11 00:29:36 2003
@@ -1683,6 +1683,9 @@
 
 	if (likely(len < TX_BUF_SIZE)) {
 		skb_copy_and_csum_dev(skb, tp->tx_buf[entry]);
+		/* PAD the frame out with zeroes */
+		if (len < (unsigned int) ETH_ZLEN)
+			memset(tp->tx_buf[entry] + len, 0, ETH_ZLEN - len);
 		dev_kfree_skb(skb);
 	} else {
 		dev_kfree_skb(skb);

-- 
David McCullough:    Ph: +61 7 3435 2815  http://www.SnapGear.com
davidm@snapgear.com  Fx: +61 7 3891 3630  Custom Embedded Solutions + Security

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2003-01-10 15:25 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-01-10 14:52 [PATCH] ne.c 8139too.c to fix CERT VU#412115, 2.4.20 David McCullough
2003-01-10 16:19 ` Alan Cox

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.