Message ID | 20211111125118.1441463-1-mudongliangabcd@gmail.com (mailing list archive) |
---|---|
State | Superseded |
Headers | show |
Series | net: ieee802154: fix shift-out-of-bound in nl802154_new_interface | expand |
11/11/21 3:51 PM, Dongliang Mu пишет: > In nl802154_new_interface, if type retrieved from info->attr is > NL802154_IFTYPE_UNSPEC(-1), i.e., less than NL802154_IFTYPE_MAX, > it will trigger a shift-out-of-bound bug in BIT(type). > > Fix this by adding a condition to check if the variable type is > larger than NL802154_IFTYPE_UNSPEC(-1). Please add Fixes tag > > Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com> > --- > net/ieee802154/nl802154.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/ieee802154/nl802154.c b/net/ieee802154/nl802154.c > index 277124f206e0..cecf5ce0aa20 100644 > --- a/net/ieee802154/nl802154.c > +++ b/net/ieee802154/nl802154.c > @@ -915,7 +915,7 @@ static int nl802154_new_interface(struct sk_buff *skb, struct genl_info *info) > > if (info->attrs[NL802154_ATTR_IFTYPE]) { > type = nla_get_u32(info->attrs[NL802154_ATTR_IFTYPE]); > - if (type > NL802154_IFTYPE_MAX || > + if (type <= NL802154_IFTYPE_UNSPEC || type > NL802154_IFTYPE_MAX || > !(rdev->wpan_phy.supported.iftypes & BIT(type))) > return -EINVAL; > } >
diff --git a/net/ieee802154/nl802154.c b/net/ieee802154/nl802154.c index 277124f206e0..cecf5ce0aa20 100644 --- a/net/ieee802154/nl802154.c +++ b/net/ieee802154/nl802154.c @@ -915,7 +915,7 @@ static int nl802154_new_interface(struct sk_buff *skb, struct genl_info *info) if (info->attrs[NL802154_ATTR_IFTYPE]) { type = nla_get_u32(info->attrs[NL802154_ATTR_IFTYPE]); - if (type > NL802154_IFTYPE_MAX || + if (type <= NL802154_IFTYPE_UNSPEC || type > NL802154_IFTYPE_MAX || !(rdev->wpan_phy.supported.iftypes & BIT(type))) return -EINVAL; }
In nl802154_new_interface, if type retrieved from info->attr is NL802154_IFTYPE_UNSPEC(-1), i.e., less than NL802154_IFTYPE_MAX, it will trigger a shift-out-of-bound bug in BIT(type). Fix this by adding a condition to check if the variable type is larger than NL802154_IFTYPE_UNSPEC(-1). Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com> --- net/ieee802154/nl802154.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)