From: Dan Carpenter <dan.carpenter@oracle.com>
To: Joerg Reuter <jreuter@yaina.de>, Peilin Ye <yepeilin.cs@gmail.com>
Cc: Ralf Baechle <ralf@linux-mips.org>,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>,
linux-hams@vger.kernel.org, netdev@vger.kernel.org,
gregkh@linuxfoundation.org, syzkaller-bugs@googlegroups.com,
linux-kernel-mentees@lists.linuxfoundation.org
Subject: [PATCH net] AX.25: Prevent integer overflows in connect and sendmsg
Date: Thu, 23 Jul 2020 17:49:57 +0300 [thread overview]
Message-ID: <20200723144957.GA293102@mwanda> (raw)
In-Reply-To: <20200722.175714.1713497446730685740.davem@davemloft.net>
We recently added some bounds checking in ax25_connect() and
ax25_sendmsg() and we so we removed the AX25_MAX_DIGIS checks because
they were no longer required.
Unfortunately, I believe they are required to prevent integer overflows
so I have added them back.
Fixes: 8885bb0621f0 ("AX.25: Prevent out-of-bounds read in ax25_sendmsg()")
Fixes: 2f2a7ffad5c6 ("AX.25: Fix out-of-bounds read in ax25_connect()")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
From code review. Not tested. It should be harmless though.
net/ax25/af_ax25.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
index 0862fe49d434..dec3f35467c9 100644
--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -1188,6 +1188,7 @@ static int __must_check ax25_connect(struct socket *sock,
fsa->fsa_ax25.sax25_ndigis != 0) {
/* Valid number of digipeaters ? */
if (fsa->fsa_ax25.sax25_ndigis < 1 ||
+ fsa->fsa_ax25.sax25_ndigis > AX25_MAX_DIGIS ||
addr_len < sizeof(struct sockaddr_ax25) +
sizeof(ax25_address) * fsa->fsa_ax25.sax25_ndigis) {
err = -EINVAL;
@@ -1509,7 +1510,9 @@ static int ax25_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
struct full_sockaddr_ax25 *fsa = (struct full_sockaddr_ax25 *)usax;
/* Valid number of digipeaters ? */
- if (usax->sax25_ndigis < 1 || addr_len < sizeof(struct sockaddr_ax25) +
+ if (usax->sax25_ndigis < 1 ||
+ usax->sax25_ndigis > AX25_MAX_DIGIS ||
+ addr_len < sizeof(struct sockaddr_ax25) +
sizeof(ax25_address) * usax->sax25_ndigis) {
err = -EINVAL;
goto out;
--
2.27.0
WARNING: multiple messages have this Message-ID (diff)
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Joerg Reuter <jreuter@yaina.de>, Peilin Ye <yepeilin.cs@gmail.com>
Cc: linux-hams@vger.kernel.org, netdev@vger.kernel.org,
syzkaller-bugs@googlegroups.com,
Ralf Baechle <ralf@linux-mips.org>,
Jakub Kicinski <kuba@kernel.org>,
linux-kernel-mentees@lists.linuxfoundation.org,
"David S. Miller" <davem@davemloft.net>
Subject: [Linux-kernel-mentees] [PATCH net] AX.25: Prevent integer overflows in connect and sendmsg
Date: Thu, 23 Jul 2020 17:49:57 +0300 [thread overview]
Message-ID: <20200723144957.GA293102@mwanda> (raw)
In-Reply-To: <20200722.175714.1713497446730685740.davem@davemloft.net>
We recently added some bounds checking in ax25_connect() and
ax25_sendmsg() and we so we removed the AX25_MAX_DIGIS checks because
they were no longer required.
Unfortunately, I believe they are required to prevent integer overflows
so I have added them back.
Fixes: 8885bb0621f0 ("AX.25: Prevent out-of-bounds read in ax25_sendmsg()")
Fixes: 2f2a7ffad5c6 ("AX.25: Fix out-of-bounds read in ax25_connect()")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
From code review. Not tested. It should be harmless though.
net/ax25/af_ax25.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
index 0862fe49d434..dec3f35467c9 100644
--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -1188,6 +1188,7 @@ static int __must_check ax25_connect(struct socket *sock,
fsa->fsa_ax25.sax25_ndigis != 0) {
/* Valid number of digipeaters ? */
if (fsa->fsa_ax25.sax25_ndigis < 1 ||
+ fsa->fsa_ax25.sax25_ndigis > AX25_MAX_DIGIS ||
addr_len < sizeof(struct sockaddr_ax25) +
sizeof(ax25_address) * fsa->fsa_ax25.sax25_ndigis) {
err = -EINVAL;
@@ -1509,7 +1510,9 @@ static int ax25_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
struct full_sockaddr_ax25 *fsa = (struct full_sockaddr_ax25 *)usax;
/* Valid number of digipeaters ? */
- if (usax->sax25_ndigis < 1 || addr_len < sizeof(struct sockaddr_ax25) +
+ if (usax->sax25_ndigis < 1 ||
+ usax->sax25_ndigis > AX25_MAX_DIGIS ||
+ addr_len < sizeof(struct sockaddr_ax25) +
sizeof(ax25_address) * usax->sax25_ndigis) {
err = -EINVAL;
goto out;
--
2.27.0
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
next prev parent reply other threads:[~2020-07-23 14:49 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-22 15:19 [Linux-kernel-mentees] [PATCH net] AX.25: Fix out-of-bounds read in ax25_connect() Peilin Ye
2020-07-22 15:19 ` Peilin Ye
2020-07-23 0:57 ` David Miller
2020-07-23 0:57 ` David Miller
2020-07-23 14:49 ` Dan Carpenter [this message]
2020-07-23 14:49 ` [Linux-kernel-mentees] [PATCH net] AX.25: Prevent integer overflows in connect and sendmsg Dan Carpenter
2020-07-23 19:10 ` David Miller
2020-07-23 19:10 ` [Linux-kernel-mentees] " David Miller
2020-07-23 15:15 ` [Linux-kernel-mentees] [PATCH net] AX.25: Fix out-of-bounds read in ax25_connect() Peilin Ye
2020-07-23 15:15 ` Peilin Ye
2020-07-23 14:28 ` Dan Carpenter
2020-07-23 14:28 ` Dan Carpenter
2020-07-23 15:13 ` Peilin Ye
2020-07-23 15:13 ` Peilin Ye
2020-07-23 15:50 ` Dan Carpenter
2020-07-23 15:50 ` Dan Carpenter
2020-07-23 16:43 ` Peilin Ye
2020-07-23 16:43 ` Peilin Ye
2020-07-23 21:41 ` vk2tv
2020-07-23 21:41 ` vk2tv
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200723144957.GA293102@mwanda \
--to=dan.carpenter@oracle.com \
--cc=davem@davemloft.net \
--cc=gregkh@linuxfoundation.org \
--cc=jreuter@yaina.de \
--cc=kuba@kernel.org \
--cc=linux-hams@vger.kernel.org \
--cc=linux-kernel-mentees@lists.linuxfoundation.org \
--cc=netdev@vger.kernel.org \
--cc=ralf@linux-mips.org \
--cc=syzkaller-bugs@googlegroups.com \
--cc=yepeilin.cs@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.