From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752257AbbCXJLn (ORCPT <rfc822;w@1wt.eu>);
	Tue, 24 Mar 2015 05:11:43 -0400
Received: from mail.windriver.com ([147.11.1.11]:63965 "EHLO
	mail.windriver.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751328AbbCXJLl (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Tue, 24 Mar 2015 05:11:41 -0400
Message-ID: <55112A30.2050800@windriver.com>
Date: Tue, 24 Mar 2015 17:11:12 +0800
From: Ying Xue <ying.xue@windriver.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Sasha Levin <sasha.levin@oracle.com>, <linux-kernel@vger.kernel.org>
CC: <erik.hugne@ericsson.com>, <jon.maloy@ericsson.com>, <davem@davemloft.net>,
        Allan Stephens <allan.stephens@windriver.com>,
        open list:
	TIPC NETWORK LAYER <netdev@vger.kernel.org>,
        "; open list":
	TIPC NETWORK LAYER <tipc-discussion@lists.sourceforge.net>,
        ;
Illegal-Object: Syntax error in CC: addresses found on vger.kernel.org:
	CC:	;open list:TIPC NETWORK LAYER <tipc-discussion@lists.sourceforge.net>
			^-extraneous tokens in mailbox, missing end of mailbox
Subject: Re: [PATCH] tipc: validate length of sockaddr in connect() for dgram/rdm
References: <1427139003-30510-1-git-send-email-sasha.levin@oracle.com>
In-Reply-To: <1427139003-30510-1-git-send-email-sasha.levin@oracle.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [128.224.163.180]
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 03/24/2015 03:30 AM, Sasha Levin wrote:
> Commit f2f8036 ("tipc: add support for connect() on dgram/rdm sockets")
> hasn't validated user input length for the sockaddr structure which allows
> a user to overwrite kernel memory with arbitrary input.
> 
> Fixes: f2f8036 ("tipc: add support for connect() on dgram/rdm sockets")
> Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

Acked-by: Ying Xue <ying.xue@windriver.com>

> ---
>  net/tipc/socket.c |    2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/net/tipc/socket.c b/net/tipc/socket.c
> index 73c2f51..986dc96 100644
> --- a/net/tipc/socket.c
> +++ b/net/tipc/socket.c
> @@ -1852,6 +1852,8 @@ static int tipc_connect(struct socket *sock, struct sockaddr *dest,
>  		if (dst->family == AF_UNSPEC) {
>  			memset(&tsk->remote, 0, sizeof(struct sockaddr_tipc));
>  			tsk->connected = 0;
> +		} else if (destlen != sizeof(struct sockaddr_tipc)) {
> +			res = -EINVAL;
>  		} else {
>  			memcpy(&tsk->remote, dest, destlen);
>  			tsk->connected = 1;
>