summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSasha Levin <sasha.levin@oracle.com>2015-03-23 15:30:00 -0400
committerDavid S. Miller <davem@davemloft.net>2015-03-24 12:50:39 -0400
commit610600c8c5e25d551a010b64412cf731c084b1e1 (patch)
treeaa1e059d0a28f346d32e764c7720ff8126fc8f49
parent0117ec1970c5fa9c566045e7df8db76acc8f150e (diff)
downloadlinux-610600c8c5e25d551a010b64412cf731c084b1e1.tar.gz
linux-610600c8c5e25d551a010b64412cf731c084b1e1.tar.bz2
linux-610600c8c5e25d551a010b64412cf731c084b1e1.zip
tipc: validate length of sockaddr in connect() for dgram/rdm
Commit f2f8036 ("tipc: add support for connect() on dgram/rdm sockets") hasn't validated user input length for the sockaddr structure which allows a user to overwrite kernel memory with arbitrary input. Fixes: f2f8036 ("tipc: add support for connect() on dgram/rdm sockets") Signed-off-by: Sasha Levin <sasha.levin@oracle.com> Acked-by: Ying Xue <ying.xue@windriver.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/tipc/socket.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index 6dd5bd95236a..094710519477 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -1851,6 +1851,8 @@ static int tipc_connect(struct socket *sock, struct sockaddr *dest,
if (dst->family == AF_UNSPEC) {
memset(&tsk->remote, 0, sizeof(struct sockaddr_tipc));
tsk->connected = 0;
+ } else if (destlen != sizeof(struct sockaddr_tipc)) {
+ res = -EINVAL;
} else {
memcpy(&tsk->remote, dest, destlen);
tsk->connected = 1;