forked from luck/tmp_suning_uos_patched
net/rds: Check address length before reading address family
syzbot is reporting uninitialized value at rds_connect() [1] and rds_bind() [2]. This is because syzbot is passing ulen == 0 whereas these functions expect that it is safe to access sockaddr->family field in order to determine minimal address length for validation. [1] https://syzkaller.appspot.com/bug?id=f4e61c010416c1e6f0fa3ffe247561b60a50ad71 [2] https://syzkaller.appspot.com/bug?id=a4bf9e41b7e055c3823fdcd83e8c58ca7270e38f Reported-by: syzbot <syzbot+0049bebbf3042dbd2e8f@syzkaller.appspotmail.com> Reported-by: syzbot <syzbot+915c9f99f3dbc4bd6cd1@syzkaller.appspotmail.com> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
e305845096
commit
dd3ac9a684
|
@ -543,6 +543,9 @@ static int rds_connect(struct socket *sock, struct sockaddr *uaddr,
|
|||
struct rds_sock *rs = rds_sk_to_rs(sk);
|
||||
int ret = 0;
|
||||
|
||||
if (addr_len < offsetofend(struct sockaddr, sa_family))
|
||||
return -EINVAL;
|
||||
|
||||
lock_sock(sk);
|
||||
|
||||
switch (uaddr->sa_family) {
|
||||
|
|
|
@ -173,6 +173,8 @@ int rds_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
|
|||
/* We allow an RDS socket to be bound to either IPv4 or IPv6
|
||||
* address.
|
||||
*/
|
||||
if (addr_len < offsetofend(struct sockaddr, sa_family))
|
||||
return -EINVAL;
|
||||
if (uaddr->sa_family == AF_INET) {
|
||||
struct sockaddr_in *sin = (struct sockaddr_in *)uaddr;
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user