[PATCH v4 01/11] net: qrtr: ns: validate msglen before ctrl_pkt use

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Mihai Moldovan <ionic@ionic.de>
To: linux-arm-msm@vger.kernel.org, Manivannan Sadhasivam <mani@kernel.org>
Cc: Denis Kenzior <denkenz@gmail.com>,
	Eric Dumazet <edumazet@google.com>,
	Kuniyuki Iwashima <kuniyu@google.com>,
	Paolo Abeni <pabeni@redhat.com>,
	Willem de Bruijn <willemb@google.com>,
	"David S . Miller" <davem@davemloft.net>,
	Jakub Kicinski <kuba@kernel.org>, Simon Horman <horms@kernel.org>,
	linux-kernel@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH v4 01/11] net: qrtr: ns: validate msglen before ctrl_pkt use
Date: Mon, 28 Jul 2025 18:45:18 +0200	[thread overview]
Message-ID: <456d8dff226c88657c79f1dbadf0dcaba8b905ae.1753720934.git.ionic@ionic.de> (raw)
In-Reply-To: <cover.1753720934.git.ionic@ionic.de>

From: Denis Kenzior <denkenz@gmail.com>

The qrtr_ctrl_pkt structure is currently accessed without checking
if the received payload is large enough to hold the structure's fields.
Add a check to ensure the payload length is sufficient.

Signed-off-by: Denis Kenzior <denkenz@gmail.com>
Reviewed-by: Marcel Holtmann <marcel@holtmann.org>
Reviewed-by: Andy Gross <agross@kernel.org>
Signed-off-by: Mihai Moldovan <ionic@ionic.de>
Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from userspace")

---

v4:
  - no changes
  - Link to v3: https://msgid.link/a3bc13d1496404e96723a427086271107016bdd6.1753312999.git.ionic@ionic.de

v3:
  - add Fixes: tag
  - rebase against current master
  - Link to v2: https://msgid.link/866f309e9739d770dce7e8c648b562d37db1d8b5.1752947108.git.ionic@ionic.de

v2:
  - rebase against current master
  - use correct size of packet structure as per review comment
  - Link to v1: https://msgid.link/20241018181842.1368394-2-denkenz@gmail.com
---
 net/qrtr/ns.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/qrtr/ns.c b/net/qrtr/ns.c
index 3de9350cbf30..2bcfe539dc3e 100644
--- a/net/qrtr/ns.c
+++ b/net/qrtr/ns.c
@@ -619,6 +619,9 @@ static void qrtr_ns_worker(struct work_struct *work)
 			break;
 		}
 
+		if ((size_t)msglen < sizeof(*pkt))
+			break;
+
 		pkt = recv_buf;
 		cmd = le32_to_cpu(pkt->cmd);
 		if (cmd < ARRAY_SIZE(qrtr_ctrl_pkt_strings) &&
-- 
2.50.0

next prev parent reply	other threads:[~2025-07-28 16:45 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-07-28 16:45 [PATCH v4 00/11] QRTR Multi-endpoint support Mihai Moldovan
2025-07-28 16:45 ` Mihai Moldovan [this message]
2025-07-28 16:45 ` [PATCH v4 02/11] net: qrtr: allocate and track endpoint ids Mihai Moldovan
2025-07-28 16:45 ` [PATCH v4 03/11] net: qrtr: fit node ID + port number combination into unsigned long Mihai Moldovan
2025-07-28 16:45 ` [PATCH v4 04/11] net: qrtr: support identical node ids Mihai Moldovan
2025-07-28 16:45 ` [PATCH v4 05/11] net: qrtr: Report sender endpoint in aux data Mihai Moldovan
2025-07-28 16:45 ` [PATCH v4 06/11] net: qrtr: Report endpoint for locally generated messages Mihai Moldovan
2025-07-28 16:45 ` [PATCH v4 07/11] net: qrtr: Allow sendmsg to target an endpoint Mihai Moldovan
2025-07-28 16:45 ` [PATCH v4 08/11] net: qrtr: allow socket endpoint binding Mihai Moldovan
2025-07-28 16:45 ` [PATCH v4 09/11] net: qrtr: Drop remote {NEW|DEL}_LOOKUP messages Mihai Moldovan
2025-07-28 16:45 ` [PATCH v4 10/11] net: qrtr: ns: support multiple endpoints Mihai Moldovan
2025-07-28 16:45 ` [PATCH v4 11/11] net: qrtr: mhi: Report endpoint id in sysfs Mihai Moldovan
2025-07-31  0:57 ` [PATCH v4 00/11] QRTR Multi-endpoint support Jakub Kicinski
2025-07-31  5:47   ` Mihai Moldovan

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:3de9350cbf3 dfblob:2bcfe539dc3 )
 OR (
bs:"[PATCH v4 01/11] net: qrtr: ns: validate msglen before ctrl_pkt use" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=456d8dff226c88657c79f1dbadf0dcaba8b905ae.1753720934.git.ionic@ionic.de \
    --to=ionic@ionic.de \
    --cc=davem@davemloft.net \
    --cc=denkenz@gmail.com \
    --cc=edumazet@google.com \
    --cc=horms@kernel.org \
    --cc=kuba@kernel.org \
    --cc=kuniyu@google.com \
    --cc=linux-arm-msm@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mani@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=willemb@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.