Home Home > GIT Browse > SLE15
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2019-06-19 15:22:23 +0200
committerTakashi Iwai <tiwai@suse.de>2019-06-19 15:22:23 +0200
commita37dca9dd619283cf5ace0f191c9925c585b96ed (patch)
tree92cc4f03c85590dad0e40d95e4ce3f6cac5ff04a
parent6ec05b16a56165ba4ed7af05205997bf17e56210 (diff)
6lowpan: Off by one handling ->nexthdr (bsc#1051510).
-rw-r--r--patches.fixes/6lowpan-Off-by-one-handling-nexthdr.patch41
-rw-r--r--series.conf1
2 files changed, 42 insertions, 0 deletions
diff --git a/patches.fixes/6lowpan-Off-by-one-handling-nexthdr.patch b/patches.fixes/6lowpan-Off-by-one-handling-nexthdr.patch
new file mode 100644
index 0000000000..48413b0321
--- /dev/null
+++ b/patches.fixes/6lowpan-Off-by-one-handling-nexthdr.patch
@@ -0,0 +1,41 @@
+From f57c4bbf34439531adccd7d3a4ecc14f409c1399 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 3 Apr 2019 08:34:16 +0300
+Subject: [PATCH] 6lowpan: Off by one handling ->nexthdr
+Git-commit: f57c4bbf34439531adccd7d3a4ecc14f409c1399
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+NEXTHDR_MAX is 255. What happens here is that we take a u8 value
+"hdr->nexthdr" from the network and then look it up in
+lowpan_nexthdr_nhcs[]. The problem is that if hdr->nexthdr is 0xff then
+we read one element beyond the end of the array so the array needs to
+be one element larger.
+
+Fixes: 92aa7c65d295 ("6lowpan: add generic nhc layer interface")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
+Acked-by: Alexander Aring <aring@mojatatu.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/6lowpan/nhc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/6lowpan/nhc.c b/net/6lowpan/nhc.c
+index 4fa2fdda174d..9e56fb98f33c 100644
+--- a/net/6lowpan/nhc.c
++++ b/net/6lowpan/nhc.c
+@@ -18,7 +18,7 @@
+ #include "nhc.h"
+
+ static struct rb_root rb_root = RB_ROOT;
+-static struct lowpan_nhc *lowpan_nexthdr_nhcs[NEXTHDR_MAX];
++static struct lowpan_nhc *lowpan_nexthdr_nhcs[NEXTHDR_MAX + 1];
+ static DEFINE_SPINLOCK(lowpan_nhc_lock);
+
+ static int lowpan_nhc_insert(struct lowpan_nhc *nhc)
+--
+2.16.4
+
diff --git a/series.conf b/series.conf
index 076dbf31bf..e60f88e4f1 100644
--- a/series.conf
+++ b/series.conf
@@ -22270,6 +22270,7 @@
patches.drivers/mwifiex-Fix-mem-leak-in-mwifiex_tm_cmd.patch
patches.drivers/rtlwifi-fix-a-potential-NULL-pointer-dereference.patch
patches.drivers/Bluetooth-hidp-fix-buffer-overflow.patch
+ patches.fixes/6lowpan-Off-by-one-handling-nexthdr.patch
patches.drivers/Bluetooth-Align-minimum-encryption-key-size-for-LE-a.patch
patches.fixes/mac80211-cfg80211-update-bss-channel-on-channel-swit.patch
patches.drivers/ibmvnic-Add-device-identification-to-requested-IRQs.patch