domenico/openwrt-R7800-nss
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

net: ar8216: address security vulnerabilities in swconfig & ar8216

Browse Source 
Imported from e1aaf7ec00%5E%21/#F0
Signed-off-by: Pavel Kubelun <be.dissent@gmail.com>

CHROMIUM: net: ar8216: address security vulnerabilities in swconfig & ar8216

This patch does the following changes:
*address the security vulnerabilities in both swconfig framework and in
 ar8216 driver (many bound check additions, and turned swconfig structure
 signed element into unsigned when applicable)
*address a couple of whitespaces and indendation issues

BUG=chrome-os-partner:33096
TEST=none

Change-Id: I94ea78fcce8c1932cc584d1508c6e3b5dfb93ce9
Signed-off-by: Mathieu Olivari <mathieu@codeaurora.org>
Reviewed-on: https://chromium-review.googlesource.com/236490
Reviewed-by: Toshi Kikuchi <toshik@chromium.org>
Commit-Queue: Toshi Kikuchi <toshik@chromium.org>
Tested-by: Toshi Kikuchi <toshik@chromium.org>
This commit is contained in:
Pavel Kubelun
2016-11-28 18:10:05 +03:00
committed by John Crispin
parent a3454d1929
commit 5a69f59602
3 changed files with 32 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
target/linux/generic/files/drivers/net/phy/swconfig.c
View File

@@ -506,7 +506,7 @@ swconfig_lookup_attr(struct switch_dev *dev, struct genl_info *info,
struct genlmsghdr *hdr = nlmsg_data(info->nlhdr);
const struct switch_attrlist *alist;
const struct switch_attr *attr = NULL;
int attr_id;
unsigned int attr_id;
/* defaults */
struct switch_attr *def_list;
@@ -590,11 +590,13 @@ swconfig_parse_ports(struct sk_buff *msg, struct nlattr *head,
val->len = 0;
nla_for_each_nested(nla, head, rem) {
struct nlattr *tb[SWITCH_PORT_ATTR_MAX+1];
struct switch_port *port = &val->value.ports[val->len];
struct switch_port *port;
if (val->len >= max)
return -EINVAL;
port = &val->value.ports[val->len];
if (nla_parse_nested(tb, SWITCH_PORT_ATTR_MAX, nla,
port_policy))
return -EINVAL;
@@ -1111,6 +1113,11 @@ register_switch(struct switch_dev *dev, struct net_device *netdev)
}
BUG_ON(!dev->alias);
/* Make sure swdev_id doesn't overflow */
if (swdev_id == INT_MAX) {
return -ENOMEM;
}
if (dev->ports > 0) {
dev->portbuf = kzalloc(sizeof(struct switch_port) *
dev->ports, GFP_KERNEL);
@@ -1227,4 +1234,3 @@ swconfig_exit(void)
module_init(swconfig_init);
module_exit(swconfig_exit);