From e01bf1c83332c4653ffd30eed20a94a9c83d82b2 Mon Sep 17 00:00:00 2001 From: Rusty Russell <rusty@rustcorp.com.au> Date: Sat, 12 Apr 2008 18:49:30 -0700 Subject: net: check for underlength tap writes If the user gives a packet under 14 bytes, we'll end up reading off the end of the skb (not oopsing, just reading off the end). Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Acked-by: Max Krasnyanskiy <maxk@qualcomm.com> Signed-off-by: David S. Miller <davem@davemloft.net> --- drivers/net/tun.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'drivers') diff --git a/drivers/net/tun.c b/drivers/net/tun.c index 970ec479344..5b5d87585d9 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -286,8 +286,11 @@ static __inline__ ssize_t tun_get_user(struct tun_struct *tun, struct iovec *iv, return -EFAULT; } - if ((tun->flags & TUN_TYPE_MASK) == TUN_TAP_DEV) + if ((tun->flags & TUN_TYPE_MASK) == TUN_TAP_DEV) { align = NET_IP_ALIGN; + if (unlikely(len < ETH_HLEN)) + return -EINVAL; + } if (!(skb = alloc_skb(len + align, GFP_KERNEL))) { tun->dev->stats.rx_dropped++; -- cgit v1.2.3-18-g5258