Re: [PATCH v6 1/2] net: tulip: check frame size and r/w data length

2020-03-26 Thread Li Qiang
Jason Wang 于2020年3月27日周五 上午10:53写道: > > On 2020/3/27 上午10:35, Li Qiang wrote: > > > > > > Jason Wang mailto:jasow...@redhat.com>> > > 于2020年3月27日周五 上午10:09写道: > > > > > > On 2020/3/24 下午10:54, Li Qiang wrote: > > > > > > > > > Jason Wang mailto:jasow...@redhat.com> > >

Re: [PATCH v6 1/2] net: tulip: check frame size and r/w data length

2020-03-26 Thread Jason Wang
On 2020/3/27 上午10:35, Li Qiang wrote: Jason Wang mailto:jasow...@redhat.com>> 于2020年3月27日周五 上午10:09写道: On 2020/3/24 下午10:54, Li Qiang wrote: > > > Jason Wang mailto:jasow...@redhat.com> >> > 于2020年3月24日周二 下午1:

Re: [PATCH v6 1/2] net: tulip: check frame size and r/w data length

2020-03-26 Thread Li Qiang
Jason Wang 于2020年3月27日周五 上午10:09写道: > > On 2020/3/24 下午10:54, Li Qiang wrote: > > > > > > Jason Wang mailto:jasow...@redhat.com>> > > 于2020年3月24日周二 下午1:45写道: > > > > > > On 2020/3/24 上午9:29, Li Qiang wrote: > > > > > > > > > P J P mailto:ppan...@redhat.com> > >

Re: [PATCH v6 1/2] net: tulip: check frame size and r/w data length

2020-03-26 Thread Jason Wang
On 2020/3/24 下午10:54, Li Qiang wrote: Jason Wang mailto:jasow...@redhat.com>> 于2020年3月24日周二 下午1:45写道: On 2020/3/24 上午9:29, Li Qiang wrote: > > > P J P mailto:ppan...@redhat.com> >> 于2020年3月23日周一 > 下午8:24写道:

Re: [PATCH v6 1/2] net: tulip: check frame size and r/w data length

2020-03-25 Thread P J P
+-- On Tue, 24 Mar 2020, Jason Wang wrote --+ | > Why here is '>=' instead of '>'. IIUC the total sending length can reach | > to sizeof(s->rx_frame). Same in the other place in this patch. | | Yes, this need to be fixed. Sent patch v7. Thank you. -- Prasad J Pandit / Red Hat Product Security Te

Re: [PATCH v6 1/2] net: tulip: check frame size and r/w data length

2020-03-24 Thread Li Qiang
Jason Wang 于2020年3月24日周二 下午1:45写道: > > On 2020/3/24 上午9:29, Li Qiang wrote: > > > > > > P J P mailto:ppan...@redhat.com>> 于2020年3月23日周一 > > 下午8:24写道: > > > > From: Prasad J Pandit > > > > > > Tulip network driver while copying tx/rx buffers does not che

Re: [PATCH v6 1/2] net: tulip: check frame size and r/w data length

2020-03-24 Thread P J P
+-- On Tue, 24 Mar 2020, Jason Wang wrote --+ | > +        if (s->rx_frame_len + len >= sizeof(s->rx_frame)) { | > +            return; | > +        } | > | > Why here is '>=' instead of '>'. IIUC the total sending length can reach | > to sizeof(s->rx_frame). Same in the other place in

Re: [PATCH v6 1/2] net: tulip: check frame size and r/w data length

2020-03-23 Thread Jason Wang
On 2020/3/24 上午9:29, Li Qiang wrote: P J P mailto:ppan...@redhat.com>> 于2020年3月23日周一 下午8:24写道: From: Prasad J Pandit mailto:p...@fedoraproject.org>> Tulip network driver while copying tx/rx buffers does not check frame size against r/w data length. This may lead to OOB buffer

Re: [PATCH v6 1/2] net: tulip: check frame size and r/w data length

2020-03-23 Thread Li Qiang
P J P 于2020年3月23日周一 下午8:24写道: > From: Prasad J Pandit > > Tulip network driver while copying tx/rx buffers does not check > frame size against r/w data length. This may lead to OOB buffer > access. Add check to avoid it. > > Limit iterations over descriptors to avoid potential infinite > loop is

[PATCH v6 1/2] net: tulip: check frame size and r/w data length

2020-03-23 Thread P J P
From: Prasad J Pandit Tulip network driver while copying tx/rx buffers does not check frame size against r/w data length. This may lead to OOB buffer access. Add check to avoid it. Limit iterations over descriptors to avoid potential infinite loop issue in tulip_xmit_list_update. Reported-by: L