diff options
author | Mateusz Jurczyk <mjurczyk@google.com> | 2017-06-13 20:06:12 +0200 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2017-06-13 16:16:11 -0400 |
commit | 20a3d5bf5e5b13c02450ab6178ec374abd830686 (patch) | |
tree | 11d51c4ad2457225fef5b52a30b0a8567c3ff379 /net | |
parent | 7de84403a2020874714f6f40170f5ef9fc7ab58e (diff) | |
download | linux-20a3d5bf5e5b13c02450ab6178ec374abd830686.tar.gz linux-20a3d5bf5e5b13c02450ab6178ec374abd830686.tar.bz2 linux-20a3d5bf5e5b13c02450ab6178ec374abd830686.zip |
caif: Add sockaddr length check before accessing sa_family in connect handler
Verify that the caller-provided sockaddr structure is large enough to
contain the sa_family field, before accessing it in the connect()
handler of the AF_CAIF socket. Since the syscall doesn't enforce a minimum
size of the corresponding memory region, very short sockaddrs (zero or one
byte long) result in operating on uninitialized memory while referencing
sa_family.
Signed-off-by: Mateusz Jurczyk <mjurczyk@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/caif/caif_socket.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c index adcad344c843..21f18ea2fce4 100644 --- a/net/caif/caif_socket.c +++ b/net/caif/caif_socket.c @@ -754,6 +754,10 @@ static int caif_connect(struct socket *sock, struct sockaddr *uaddr, lock_sock(sk); + err = -EINVAL; + if (addr_len < offsetofend(struct sockaddr, sa_family)) + goto out; + err = -EAFNOSUPPORT; if (uaddr->sa_family != AF_CAIF) goto out; |