From: Allan Stephens Date: Tue, 18 Jan 2011 18:09:29 +0000 (-0500) Subject: tipc: Prevent invalid memory access when sending to configuration service X-Git-Tag: firefly_0821_release~7613^2~2196^2~274^2~13 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=3f8dd9446e66f2a982ddcff38e4705cfe93eeec6;p=firefly-linux-kernel-4.4.55.git tipc: Prevent invalid memory access when sending to configuration service Reject TIPC configuration service messages without a full message header. Previously, an application that sent a message to the configuration service that was too short could cause the validation code to access an uninitialized field in the msghdr structure, resulting in a memory access exception. Signed-off-by: Allan Stephens Signed-off-by: Paul Gortmaker --- diff --git a/net/tipc/socket.c b/net/tipc/socket.c index 893ca6eb5b41..125dcb0737b2 100644 --- a/net/tipc/socket.c +++ b/net/tipc/socket.c @@ -493,6 +493,8 @@ static int dest_name_check(struct sockaddr_tipc *dest, struct msghdr *m) if (likely(dest->addr.name.name.type != TIPC_CFG_SRV)) return -EACCES; + if (!m->msg_iovlen || (m->msg_iov[0].iov_len < sizeof(hdr))) + return -EMSGSIZE; if (copy_from_user(&hdr, m->msg_iov[0].iov_base, sizeof(hdr))) return -EFAULT; if ((ntohs(hdr.tcm_type) & 0xC000) && (!capable(CAP_NET_ADMIN)))