| From 27b8584a8755b45cdc67bf6f90e8b0b2a86a6f6d Mon Sep 17 00:00:00 2001 |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| Date: Thu, 23 Jul 2020 17:49:57 +0300 |
| Subject: [PATCH] AX.25: Prevent integer overflows in connect and sendmsg |
| |
| commit 17ad73e941b71f3bec7523ea4e9cbc3752461c2d upstream. |
| |
| We recently added some bounds checking in ax25_connect() and |
| ax25_sendmsg() and we so we removed the AX25_MAX_DIGIS checks because |
| they were no longer required. |
| |
| Unfortunately, I believe they are required to prevent integer overflows |
| so I have added them back. |
| |
| Fixes: 8885bb0621f0 ("AX.25: Prevent out-of-bounds read in ax25_sendmsg()") |
| Fixes: 2f2a7ffad5c6 ("AX.25: Fix out-of-bounds read in ax25_connect()") |
| Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c |
| index dbe7ef2c7e75..2fdb1b573e8c 100644 |
| --- a/net/ax25/af_ax25.c |
| +++ b/net/ax25/af_ax25.c |
| @@ -1188,6 +1188,7 @@ static int __must_check ax25_connect(struct socket *sock, |
| fsa->fsa_ax25.sax25_ndigis != 0) { |
| /* Valid number of digipeaters ? */ |
| if (fsa->fsa_ax25.sax25_ndigis < 1 || |
| + fsa->fsa_ax25.sax25_ndigis > AX25_MAX_DIGIS || |
| addr_len < sizeof(struct sockaddr_ax25) + |
| sizeof(ax25_address) * fsa->fsa_ax25.sax25_ndigis) { |
| err = -EINVAL; |
| @@ -1509,7 +1510,9 @@ static int ax25_sendmsg(struct socket *sock, struct msghdr *msg, size_t len) |
| struct full_sockaddr_ax25 *fsa = (struct full_sockaddr_ax25 *)usax; |
| |
| /* Valid number of digipeaters ? */ |
| - if (usax->sax25_ndigis < 1 || addr_len < sizeof(struct sockaddr_ax25) + |
| + if (usax->sax25_ndigis < 1 || |
| + usax->sax25_ndigis > AX25_MAX_DIGIS || |
| + addr_len < sizeof(struct sockaddr_ax25) + |
| sizeof(ax25_address) * usax->sax25_ndigis) { |
| err = -EINVAL; |
| goto out; |
| -- |
| 2.27.0 |
| |