The driver used PHR as the frame length without checking its format or compatibility with the skb length. This patch adds a test to reject invalid PHR values (MSB set) and it also rejects frames too big to fit into the skb (which should never happen).
Signed-off-by: Werner Almesberger <[email protected]> --- drivers/ieee802154/at86rf230.c | 19 +++++++++++++++++-- 1 files changed, 17 insertions(+), 2 deletions(-) diff --git a/drivers/ieee802154/at86rf230.c b/drivers/ieee802154/at86rf230.c index f8b15e9..80e0faf 100644 --- a/drivers/ieee802154/at86rf230.c +++ b/drivers/ieee802154/at86rf230.c @@ -230,6 +230,17 @@ at86rf230_read_fbuf(struct at86rf230_local *lp, u8 *data, u8 *len, u8 *lqi) status = spi_sync(lp->spi, &msg); dev_vdbg(&lp->spi->dev, "status = %d\n", status); + if (buf[1] & 0x80) { + dev_err(&lp->spi->dev, "invalid PHR 0x%02x\n", buf[1]); + status = -EIO; + goto fail; + } + if (buf[1] >= *len) { + dev_err(&lp->spi->dev, "PHR 0x%02x >= buffer %d bytes\n", + buf[1], *len); + status = -EMSGSIZE; + goto fail; + } xfer_buf.len = *(buf + 1) + 1; *len = buf[1]; @@ -253,6 +264,7 @@ at86rf230_read_fbuf(struct at86rf230_local *lp, u8 *data, u8 *len, u8 *lqi) *lqi = data[lp->buf[1]]; } +fail: mutex_unlock(&lp->bmux); return status; @@ -418,7 +430,7 @@ err: static int at86rf230_rx(struct at86rf230_local *lp) { u8 len = 128, lqi = 0; - int rc; + int rc, rc2; struct sk_buff *skb; skb = alloc_skb(len, GFP_KERNEL); @@ -427,9 +439,11 @@ static int at86rf230_rx(struct at86rf230_local *lp) /* FIXME: process return status */ rc = at86rf230_write_subreg(lp, SR_RX_PDT_DIS, 1); - rc = at86rf230_read_fbuf(lp, skb_put(skb, len), &len, &lqi); + rc2 = at86rf230_read_fbuf(lp, skb_put(skb, len), &len, &lqi); rc = at86rf230_write_subreg(lp, SR_RX_SAFE_MODE, 1); rc = at86rf230_write_subreg(lp, SR_RX_PDT_DIS, 0); + if (rc2 < 0) + goto err_fbuf; if (len < 2) goto err; @@ -445,6 +459,7 @@ static int at86rf230_rx(struct at86rf230_local *lp) err: pr_debug("%s: received frame is too small\n", __func__); +err_fbuf: kfree_skb(skb); return -EINVAL; } -- 1.7.0.4 ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense.. http://p.sf.net/sfu/splunk-d2d-c1 _______________________________________________ Linux-zigbee-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/linux-zigbee-devel
