Re: [PATCH] net/ieee802154: fix uninit value bug in dgram_sendmsg

[Stefan Schmidt]

Hello Alex.

On 23.08.22 14:22, Alexander Aring wrote:
> Hi,
>
> On Tue, Aug 23, 2022 at 5:42 AM Stefan Schmidt
> <stefan@xxxxxxxxxxxxxxxxxx> wrote:
> > Hello.
> >
> > On 22.08.22 09:19, Haimin Zhang wrote:
> > > There is uninit value bug in dgram_sendmsg function in
> > > net/ieee802154/socket.c when the length of valid data pointed by the
> > > msg->msg_name isn't verified.
> > >
> > > This length is specified by msg->msg_namelen. Function
> > > ieee802154_addr_from_sa is called by dgram_sendmsg, which use
> > > msg->msg_name as struct sockaddr_ieee802154* and read it, that will
> > > eventually lead to uninit value read. So we should check the length of
> > > msg->msg_name is not less than sizeof(struct sockaddr_ieee802154)
> > > before entering the ieee802154_addr_from_sa.
> > >
> > > Signed-off-by: Haimin Zhang <tcs_kernel@xxxxxxxxxxx>
> >
> >
> > This patch has been applied to the wpan tree and will be
> > part of the next pull request to net. Thanks!
>
> For me this patch is buggy or at least it is questionable how to deal
> with the size of ieee802154_addr_sa here.

You are right. I completely missed this. Thanks for spotting!

> There should be a helper to calculate the size which depends on the
> addr_type field. It is not required to send the last 6 bytes if
> addr_type is IEEE802154_ADDR_SHORT.
> Nitpick is that we should check in the beginning of that function.

Haimin, in ieee802154 we could have two different sizes for 
ieee802154_addr_sa depending on the addr_type. We have short and 
extended addresses.

Could you please rework this patch to take this into account as Alex 
suggested?

I reverted your original patch from my tree.

regards
Stefan Schmidt