Hi Bill, I have a concern about the following code:
drivers/staging/dgrp/dgrp_net_ops.c:3159 dgrp_receive()
3128 plen = get_unaligned_be16(b + 2);
3129
3130 if (plen < 4 || plen > 1000) {
^^^^^^^^
plen = 4 here. It is a signed long.
3131 error = "Response Packet length
error";
3132 goto prot_error;
3133 }
3134
3135 nd->nd_tx_work = 1;
3136
3137 switch (b[1]) {
3138 /*
3139 * Echo packet.
3140 */
3141
3142 case 0:
3143 nd->nd_expect &= ~NR_ECHO;
3144 break;
3145
3146 /*
3147 * Product Response Packet.
3148 */
3149
3150 case 1:
3151 {
3152 int desclen;
3153
3154 nd->nd_hw_ver = (b[8]
<< 8) | b[9];
3155 nd->nd_sw_ver = (b[10]
<< 8) | b[11];
3156 nd->nd_hw_id = b[6];
3157 desclen = ((plen - 12)
> MAX_DESC_LEN) ? MAX_DESC_LEN :
3158 plen - 12;
3159 strncpy(nd->nd_ps_desc,
b + 12, desclen);
^^^^^^^
desclen is -8 here. strncpy() treats negatives as large postivies.
3160 nd->nd_ps_desc[desclen]
= 0;
3161 }
regards,
dan carpenter
_______________________________________________
devel mailing list
[email protected]
http://driverdev.linuxdriverproject.org/mailman/listinfo/devel
