tehuti: check register size (CVE-2008-1675)

commit 6131a2601f42cd7fdbac0e960713396fe68af59f upstream

Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/drivers/net/tehuti.c b/drivers/net/tehuti.c
index 17585e5eed5379c2299f85f92a3956768850161e..d2e1b219673d4ea0cb063fe9324ee935a9b78f60 100644 (file)
--- a/drivers/net/tehuti.c
+++ b/drivers/net/tehuti.c
@@ -625,6 +625,12 @@ static void __init bdx_firmware_endianess(void)
                s_firmLoad[i] = CPU_CHIP_SWAP32(s_firmLoad[i]);
 }
 
+static int bdx_range_check(struct bdx_priv *priv, u32 offset)
+{
+       return (offset > (u32) (BDX_REGS_SIZE / priv->nic->port_num)) ?
+               -EINVAL : 0;
+}
+
 static int bdx_ioctl_priv(struct net_device *ndev, struct ifreq *ifr, int cmd)
 {
        struct bdx_priv *priv = ndev->priv;
@@ -646,6 +652,9 @@ static int bdx_ioctl_priv(struct net_device *ndev, struct ifreq *ifr, int cmd)
        switch (data[0]) {
 
        case BDX_OP_READ:
+               error = bdx_range_check(priv, data[1]);
+               if (error < 0)
+                       return error;
                data[2] = READ_REG(priv, data[1]);
                DBG("read_reg(0x%x)=0x%x (dec %d)\n", data[1], data[2],
                    data[2]);
@@ -655,6 +664,11 @@ static int bdx_ioctl_priv(struct net_device *ndev, struct ifreq *ifr, int cmd)
                break;
 
        case BDX_OP_WRITE:
+               if (!capable(CAP_NET_ADMIN))
+                       return -EPERM;
+               error = bdx_range_check(priv, data[1]);
+               if (error < 0)
+                       return error;
                WRITE_REG(priv, data[1], data[2]);
                DBG("write_reg(0x%x, 0x%x)\n", data[1], data[2]);
                break;