[PATCH net] rxrpc: Check address length before reading srx_service field

From: David Howells
Date: Fri Apr 12 2019 - 12:13:45 EST

Next message: Song Liu: "Re: [PATCH 3/7] perf header: Fix lock/unlock imbalances when processing BPF/BTF info"
Previous message: Robin Murphy: "Re: about cci400 pmu"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx>

KMSAN will complain if valid address length passed to bind() is shorter
than sizeof(struct sockaddr_rxrpc) bytes.

Signed-off-by: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: David Howells <dhowells@xxxxxxxxxx>
---

net/rxrpc/af_rxrpc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/rxrpc/af_rxrpc.c b/net/rxrpc/af_rxrpc.c
index 54165722d6d0..ae8c5d7f3bf1 100644
--- a/net/rxrpc/af_rxrpc.c
+++ b/net/rxrpc/af_rxrpc.c
@@ -135,7 +135,7 @@ static int rxrpc_bind(struct socket *sock, struct sockaddr *saddr, int len)
struct sockaddr_rxrpc *srx = (struct sockaddr_rxrpc *)saddr;
struct rxrpc_local *local;
struct rxrpc_sock *rx = rxrpc_sk(sock->sk);
- u16 service_id = srx->srx_service;
+ u16 service_id;
int ret;

_enter("%p,%p,%d", rx, saddr, len);
@@ -143,6 +143,7 @@ static int rxrpc_bind(struct socket *sock, struct sockaddr *saddr, int len)
ret = rxrpc_validate_address(rx, srx, len);
if (ret < 0)
goto error;
+ service_id = srx->srx_service;

lock_sock(&rx->sk);

Next message: Song Liu: "Re: [PATCH 3/7] perf header: Fix lock/unlock imbalances when processing BPF/BTF info"
Previous message: Robin Murphy: "Re: about cci400 pmu"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]