tipc: Prevent invalid memory access when sending to configuration service
authorAllan Stephens <Allan.Stephens@windriver.com>
Tue, 18 Jan 2011 18:09:29 +0000 (13:09 -0500)
committerPaul Gortmaker <paul.gortmaker@windriver.com>
Wed, 23 Feb 2011 23:05:07 +0000 (18:05 -0500)
Reject TIPC configuration service messages without a full message
header.  Previously, an application that sent a message to the
configuration service that was too short could cause the validation
code to access an uninitialized field in the msghdr structure,
resulting in a memory access exception.

Signed-off-by: Allan Stephens <Allan.Stephens@windriver.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
net/tipc/socket.c

index 893ca6eb5b41b0b78e3a42270f91bc1b12708640..125dcb0737b241d9036d7813765690f5764c6674 100644 (file)
@@ -493,6 +493,8 @@ static int dest_name_check(struct sockaddr_tipc *dest, struct msghdr *m)
        if (likely(dest->addr.name.name.type != TIPC_CFG_SRV))
                return -EACCES;
 
+       if (!m->msg_iovlen || (m->msg_iov[0].iov_len < sizeof(hdr)))
+               return -EMSGSIZE;
        if (copy_from_user(&hdr, m->msg_iov[0].iov_base, sizeof(hdr)))
                return -EFAULT;
        if ((ntohs(hdr.tcm_type) & 0xC000) && (!capable(CAP_NET_ADMIN)))