ax88172a: fix information leak on short answers

If a malicious device gives a short MAC it can elicit up to 5 bytes of leaked memory out of the driver. We need to check for ETH_ALEN instead. Reported-by: syzbot+a8d4acdad35e6bbca308@syzkaller.appspotmail.com Signed-off-by: Oliver Neukum <oneukum@suse.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Oliver Neukum <oneukum@suse.com> 2019-11-14 11:16:01 +0100
committer: David S. Miller <davem@davemloft.net> 2019-11-15 12:18:45 -0800
commit: a9a51bd727d141a67b589f375fe69d0e54c4fe22 (patch)
tree: e3b6e6e089f5dc283edef8a559138838fd634e48 /drivers
parent: selftests: mlxsw: Adjust test to recent changes (diff)
download: linux-dev-a9a51bd727d141a67b589f375fe69d0e54c4fe22.tar.xz
linux-dev-a9a51bd727d141a67b589f375fe69d0e54c4fe22.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/net/usb/ax88172a.c b/drivers/net/usb/ax88172a.c
index 011bd4cb546e..af3994e0853b 100644
--- a/drivers/net/usb/ax88172a.c
+++ b/drivers/net/usb/ax88172a.c
@@ -196,7 +196,7 @@ static int ax88172a_bind(struct usbnet *dev, struct usb_interface *intf)
 
 	/* Get the MAC address */
 	ret = asix_read_cmd(dev, AX_CMD_READ_NODE_ID, 0, 0, ETH_ALEN, buf, 0);
-	if (ret < 0) {
+	if (ret < ETH_ALEN) {
 		netdev_err(dev->net, "Failed to read MAC address: %d\n", ret);
 		goto free;
 	}
author	Oliver Neukum <oneukum@suse.com>	2019-11-14 11:16:01 +0100
committer	David S. Miller <davem@davemloft.net>	2019-11-15 12:18:45 -0800
commit	a9a51bd727d141a67b589f375fe69d0e54c4fe22 (patch)
tree	e3b6e6e089f5dc283edef8a559138838fd634e48 /drivers
parent	selftests: mlxsw: Adjust test to recent changes (diff)
download	linux-dev-a9a51bd727d141a67b589f375fe69d0e54c4fe22.tar.xz linux-dev-a9a51bd727d141a67b589f375fe69d0e54c4fe22.zip