From: Haimin Zhang <tcs.kernel@gmail.com>
To: alex.aring@gmail.com, stefan@datenfreihafen.org,
davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, linux-wpan@vger.kernel.org,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: Haimin Zhang <tcs_kernel@tencent.com>
Subject: [PATCH] net/ieee802154: fix uninit value bug in dgram_sendmsg
Date: Mon, 22 Aug 2022 15:19:02 +0800 [thread overview]
Message-ID: <20220822071902.3419042-1-tcs_kernel@tencent.com> (raw)
There is uninit value bug in dgram_sendmsg function in
net/ieee802154/socket.c when the length of valid data pointed by the
msg->msg_name isn't verified.
This length is specified by msg->msg_namelen. Function
ieee802154_addr_from_sa is called by dgram_sendmsg, which use
msg->msg_name as struct sockaddr_ieee802154* and read it, that will
eventually lead to uninit value read. So we should check the length of
msg->msg_name is not less than sizeof(struct sockaddr_ieee802154)
before entering the ieee802154_addr_from_sa.
Signed-off-by: Haimin Zhang <tcs_kernel@tencent.com>
---
net/ieee802154/socket.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c
index 718fb77bb..efbe08590 100644
--- a/net/ieee802154/socket.c
+++ b/net/ieee802154/socket.c
@@ -655,6 +655,10 @@ static int dgram_sendmsg(struct sock *sk, struct msghdr *msg, size_t size)
if (msg->msg_name) {
DECLARE_SOCKADDR(struct sockaddr_ieee802154*,
daddr, msg->msg_name);
+ if (msg->msg_namelen < sizeof(*daddr)) {
+ err = -EINVAL;
+ goto out_skb;
+ }
ieee802154_addr_from_sa(&dst_addr, &daddr->addr);
} else {
--
2.27.0
next reply other threads:[~2022-08-22 7:19 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-22 7:19 Haimin Zhang [this message]
2022-08-23 8:40 ` [PATCH] net/ieee802154: fix uninit value bug in dgram_sendmsg Stefan Schmidt
2022-08-23 12:22 ` Alexander Aring
[not found] ` <CAB2z9exhnzte0rpT9t6=VpFCm9x+zZdmr01UHFxqvYy8y9ifag@mail.gmail.com>
2022-08-24 12:38 ` Alexander Aring
2022-08-29 9:08 ` Stefan Schmidt
2022-08-30 7:04 ` zhang haiming
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220822071902.3419042-1-tcs_kernel@tencent.com \
--to=tcs.kernel@gmail.com \
--cc=alex.aring@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wpan@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=stefan@datenfreihafen.org \
--cc=tcs_kernel@tencent.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.