linux/drivers/net
Teng Qi 0fa68da72c net: ethernet: dec: tulip: de4x5: fix possible array overflows in type3_infoblock()
The definition of macro MOTO_SROM_BUG is:
  #define MOTO_SROM_BUG    (lp->active == 8 && (get_unaligned_le32(
  dev->dev_addr) & 0x00ffffff) == 0x3e0008)

and the if statement
  if (MOTO_SROM_BUG) lp->active = 0;

using this macro indicates lp->active could be 8. If lp->active is 8 and
the second comparison of this macro is false. lp->active will remain 8 in:
  lp->phy[lp->active].gep = (*p ? p : NULL); p += (2 * (*p) + 1);
  lp->phy[lp->active].rst = (*p ? p : NULL); p += (2 * (*p) + 1);
  lp->phy[lp->active].mc  = get_unaligned_le16(p); p += 2;
  lp->phy[lp->active].ana = get_unaligned_le16(p); p += 2;
  lp->phy[lp->active].fdx = get_unaligned_le16(p); p += 2;
  lp->phy[lp->active].ttm = get_unaligned_le16(p); p += 2;
  lp->phy[lp->active].mci = *p;

However, the length of array lp->phy is 8, so array overflows can occur.
To fix these possible array overflows, we first check lp->active and then
return -EINVAL if it is greater or equal to ARRAY_SIZE(lp->phy) (i.e. 8).

Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
Signed-off-by: Teng Qi <starmiku1207184332@gmail.com>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
2021-11-18 12:03:17 +00:00
..
appletalk
arcnet
bonding bonding: Fix a use-after-free problem when bond_sysfs_slave_add() failed 2021-11-05 10:14:38 +00:00
caif
can Networking fixes for 5.16-rc1, including fixes from bpf, can 2021-11-11 09:49:36 -08:00
dsa net: dsa: mv88e6xxx: Don't support >1G speeds on 6191X on ports other than 10 2021-11-09 19:09:12 -08:00
ethernet net: ethernet: dec: tulip: de4x5: fix possible array overflows in type3_infoblock() 2021-11-18 12:03:17 +00:00
fddi fddi: defza: add missing pointer type cast 2021-10-25 10:28:47 -07:00
fjes net: fjes: constify and use eth_hw_addr_set() 2021-10-22 10:16:07 -07:00
hamradio hamradio: remove needs_free_netdev to avoid UAF 2021-11-12 19:56:47 -08:00
hippi net: hippi: use dev_addr_set() 2021-10-22 10:16:09 -07:00
hyperv hyperv-next for 5.16 2021-11-02 10:56:49 -07:00
ieee802154 ieee802154: Remove redundant 'flush_workqueue()' calls 2021-10-19 13:23:38 +01:00
ipa net: ipa: disable HOLB drop when updating timer 2021-11-15 13:25:45 +00:00
ipvlan net: ipvtap: fix template string argument of device_create() call 2021-10-16 08:51:22 +01:00
mctp
mdio
netdevsim netdevsim: fix uninit value in nsim_drv_configure_vfs() 2021-11-01 16:29:56 -07:00
pcs net: convert users of bitmap_foo() to linkmode_foo() 2021-10-24 13:58:52 +01:00
phy net: phy: fix duplex out of sync problem while changing settings 2021-11-04 16:46:29 -07:00
plip net: plip: use eth_hw_addr_set() 2021-10-22 10:16:14 -07:00
ppp TTY / Serial driver update for 5.16-rc1 2021-11-04 09:09:37 -07:00
slip
team
usb net: usb: r8152: Add MAC passthrough support for more Lenovo Docks 2021-11-17 14:46:19 +00:00
vmxnet3 net: vmxnet3: remove multiple false checks in vmxnet3_ethtool.c 2021-11-01 16:35:27 -07:00
wan net: hldc_fr: use dev_addr_set() 2021-10-22 10:16:18 -07:00
wireguard
wireless Core: 2021-11-02 06:20:58 -07:00
wwan net: wwan: iosm: fix compilation warning 2021-11-11 11:45:44 +00:00
xen-netback net: xen: use eth_hw_addr_set() 2021-10-22 10:15:54 -07:00
amt.c amt: cancel delayed_work synchronously in amt_fini() 2021-11-16 19:14:12 -08:00
bareudp.c net: bareudp: fix duplicate checks of data[] expressions 2021-10-29 13:41:28 +01:00
dummy.c
eql.c
geneve.c
gtp.c
ifb.c ifb: fix building without CONFIG_NET_CLS_ACT 2021-10-29 14:01:11 +01:00
Kconfig amt: add IPV6 Kconfig dependency 2021-11-09 14:00:13 +00:00
LICENSE.SRC
loopback.c
macsec.c net: drivers: get ready for const netdev->dev_addr 2021-10-24 13:59:45 +01:00
macvlan.c net: drivers: get ready for const netdev->dev_addr 2021-10-24 13:59:45 +01:00
macvtap.c net: macvtap: fix template string argument of device_create() call 2021-10-16 08:51:21 +01:00
Makefile amt: add control plane of amt interface 2021-11-01 13:36:08 +00:00
mdio.c
mhi_net.c
mii.c
net_failover.c
netconsole.c
nlmon.c
ntb_netdev.c
rionet.c net: sb1000,rionet: use eth_hw_addr_set() 2021-10-22 10:16:16 -07:00
sb1000.c net: sb1000,rionet: use eth_hw_addr_set() 2021-10-22 10:16:16 -07:00
Space.c
sungem_phy.c net: sungem_phy: fix code indentation 2021-11-09 11:45:54 +00:00
tap.c
thunderbolt.c net: thunderbolt: use eth_hw_addr_set() 2021-10-27 17:13:36 -07:00
tun.c tun: fix bonding active backup with arp monitoring 2021-11-15 13:00:26 +00:00
veth.c
virtio_net.c vhost,virtio,vhost: fixes,features 2021-11-03 15:00:39 -07:00
vrf.c vrf: run conntrack only in context of lower/physdev for locally generated packets 2021-10-26 13:21:10 +01:00
vsockmon.c
vxlan.c
xen-netfront.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-10-28 10:43:58 -07:00