ax88172a: fix information leak on short answers

oneukum · gregkh · commit 63a44739bc53 · 2019-11-20T17:59:26.000+01:00
[ Upstream commit a9a51bd ] If a malicious device gives a short MAC it can elicit up to 5 bytes of leaked memory out of the driver. We need to check for ETH_ALEN instead. Reported-by: syzbot+a8d4acdad35e6bbca308@syzkaller.appspotmail.com Signed-off-by: Oliver Neukum <oneukum@suse.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/drivers/net/usb/ax88172a.c b/drivers/net/usb/ax88172a.c
@@ -208,7 +208,7 @@ static int ax88172a_bind(struct usbnet *dev, struct usb_interface *intf)
 
 	/* Get the MAC address */
 	ret = asix_read_cmd(dev, AX_CMD_READ_NODE_ID, 0, 0, ETH_ALEN, buf, 0);
-	if (ret < 0) {
+	if (ret < ETH_ALEN) {
 		netdev_err(dev->net, "Failed to read MAC address: %d\n", ret);
 		goto free;
 	}

Original file line number	Diff line number	Diff line change
`@@ -208,7 +208,7 @@ static int ax88172a_bind(struct usbnet dev, struct usb_interface intf)`
`208`	`208`
`209`	`209`	`/* Get the MAC address */`
`210`	`210`	`ret = asix_read_cmd(dev, AX_CMD_READ_NODE_ID, 0, 0, ETH_ALEN, buf, 0);`
`211`		`- if (ret < 0) {`
	`211`	`+ if (ret < ETH_ALEN) {`
`212`	`212`	`netdev_err(dev->net, "Failed to read MAC address: %d\n", ret);`
`213`	`213`	`goto free;`
`214`	`214`	`}`