From a30cfa475d1a26c18f1998ba1e034a4e2ab4c7a8 Mon Sep 17 00:00:00 2001 From: David Fries Date: Mon, 10 Nov 2014 20:19:36 -0600 Subject: cn: verify msg->len before making callback The struct cn_msg len field comes from userspace and needs to be validated. More logical to do so here where the cn_msg pointer is pulled out of the sk_buff than the callback which is passed cn_msg * and might assume no validation is needed. Reported-by: Dan Carpenter Acked-by: Evgeniy Polyakov Signed-off-by: David Fries Signed-off-by: Greg Kroah-Hartman --- drivers/connector/connector.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'drivers/connector/connector.c') diff --git a/drivers/connector/connector.c b/drivers/connector/connector.c index f612d68629dc..30f522848c73 100644 --- a/drivers/connector/connector.c +++ b/drivers/connector/connector.c @@ -141,12 +141,18 @@ EXPORT_SYMBOL_GPL(cn_netlink_send); */ static int cn_call_callback(struct sk_buff *skb) { + struct nlmsghdr *nlh; struct cn_callback_entry *i, *cbq = NULL; struct cn_dev *dev = &cdev; struct cn_msg *msg = nlmsg_data(nlmsg_hdr(skb)); struct netlink_skb_parms *nsp = &NETLINK_CB(skb); int err = -ENODEV; + /* verify msg->len is within skb */ + nlh = nlmsg_hdr(skb); + if (nlh->nlmsg_len < NLMSG_HDRLEN + sizeof(struct cn_msg) + msg->len) + return -EINVAL; + spin_lock_bh(&dev->cbdev->queue_lock); list_for_each_entry(i, &dev->cbdev->queue_list, callback_entry) { if (cn_cb_equal(&i->id.id, &msg->id)) { -- cgit v1.2.3