From: Dan Carpenter <error27@gmail.com>
To: Phillip Potter <phil@philpotter.co.uk>
Cc: Pavel Skripkin <paskripkin@gmail.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Deepak R Varma <drv@mailo.com>,
Charlie Sands <sandsch@northvilleschools.net>,
Mahak Gupta <mahak_g@cs.iitr.ac.in>,
Alaa Mohamed <eng.alaamohamedsoliman.am@gmail.com>,
linux-staging@lists.linux.dev, kernel-janitors@vger.kernel.org
Subject: [PATCH] staging: r8188eu: fix a potential integer underflow bug
Date: Wed, 22 Feb 2023 16:59:41 +0300 [thread overview]
Message-ID: <Y/YfzZeFCAPiZ6RV@kili> (raw)
Here the code is testing to see if skb->len meets a minimum size
requirement. However if skb->len is very small then the ETH_HLEN
subtraction will result in a negative which is then type promoted
to an unsigned int and the condition will be true.
Generally, when you have an untrusted variable like skb->len, you
should move all the math to the other side of the comparison.
Fixes: 15865124feed ("staging: r8188eu: introduce new core dir for RTL8188eu driver")
Signed-off-by: Dan Carpenter <error27@gmail.com>
---
Compile tested only. This is basic algebra of moving parts of the
equation from one side to the other and I am surprisingly bad at
something that I was supposed to have learned in 9th grade.
drivers/staging/r8188eu/core/rtw_br_ext.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/r8188eu/core/rtw_br_ext.c b/drivers/staging/r8188eu/core/rtw_br_ext.c
index a7c67014dde0..f49e32c33372 100644
--- a/drivers/staging/r8188eu/core/rtw_br_ext.c
+++ b/drivers/staging/r8188eu/core/rtw_br_ext.c
@@ -538,7 +538,7 @@ int nat25_db_handle(struct adapter *priv, struct sk_buff *skb, int method)
/*------------------------------------------------*/
struct ipv6hdr *iph = (struct ipv6hdr *)(skb->data + ETH_HLEN);
- if (sizeof(*iph) >= (skb->len - ETH_HLEN))
+ if (skb->len <= sizeof(*iph) + ETH_HLEN)
return -1;
switch (method) {
--
2.39.1
next reply other threads:[~2023-02-23 4:57 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-22 13:59 Dan Carpenter [this message]
2023-02-23 7:00 ` [PATCH] staging: r8188eu: fix a potential integer underflow bug Philipp Hortmann
2023-02-23 11:00 ` Pavel Skripkin
2023-02-23 13:58 ` Dan Carpenter
2023-02-23 11:26 ` Dan Carpenter
2023-03-09 9:09 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y/YfzZeFCAPiZ6RV@kili \
--to=error27@gmail.com \
--cc=drv@mailo.com \
--cc=eng.alaamohamedsoliman.am@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-staging@lists.linux.dev \
--cc=mahak_g@cs.iitr.ac.in \
--cc=paskripkin@gmail.com \
--cc=phil@philpotter.co.uk \
--cc=sandsch@northvilleschools.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.