VMCI: Check userland-provided datagram size

Ensure that the size filled in by userland in the datagram header
matches the size of the buffer passed down in the IOCTL. Note that we
account for the size of the header itself in the check.

Acked-by: Jorgen Hansen <jhansen@vmware.com>
Acked-by: Aditya Sarwade <asarwade@vmware.com>
Signed-off-by: Andy King <acking@vmware.com>
Reported-by: David Ramos <daramos@stanford.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/misc/vmw_vmci/vmci_driver.c b/drivers/misc/vmw_vmci/vmci_driver.c
index 032d35cf93ca97dfaed554e6e77832672cfbca29..cf264a1bb149ee132ab310ab28e444ca9acaaa11 100644 (file)
--- a/drivers/misc/vmw_vmci/vmci_driver.c
+++ b/drivers/misc/vmw_vmci/vmci_driver.c
@@ -113,5 +113,5 @@ module_exit(vmci_drv_exit);
 
 MODULE_AUTHOR("VMware, Inc.");
 MODULE_DESCRIPTION("VMware Virtual Machine Communication Interface.");
-MODULE_VERSION("1.1.1.0-k");
+MODULE_VERSION("1.1.2.0-k");
 MODULE_LICENSE("GPL v2");

diff --git a/drivers/misc/vmw_vmci/vmci_host.c b/drivers/misc/vmw_vmci/vmci_host.c
index 66fc9921fc85d22b927ea2b297fde5ca199866ee..a721b5d8a9dacdafe85257c64ea7c1f545e6f743 100644 (file)
--- a/drivers/misc/vmw_vmci/vmci_host.c
+++ b/drivers/misc/vmw_vmci/vmci_host.c
@@ -395,6 +395,12 @@ static int vmci_host_do_send_datagram(struct vmci_host_dev *vmci_host_dev,
                return -EFAULT;
        }
 
+       if (VMCI_DG_SIZE(dg) != send_info.len) {
+               vmci_ioctl_err("datagram size mismatch\n");
+               kfree(dg);
+               return -EINVAL;
+       }
+
        pr_devel("Datagram dst (handle=0x%x:0x%x) src (handle=0x%x:0x%x), payload (size=%llu bytes)\n",
                 dg->dst.context, dg->dst.resource,
                 dg->src.context, dg->src.resource,