| From foo@baz Fri Jan 4 20:27:35 CET 2019 |
| From: Willem de Bruijn <willemb@google.com> |
| Date: Fri, 21 Dec 2018 12:06:59 -0500 |
| Subject: packet: validate address length |
| |
| From: Willem de Bruijn <willemb@google.com> |
| |
| [ Upstream commit 99137b7888f4058087895d035d81c6b2d31015c5 ] |
| |
| Packet sockets with SOCK_DGRAM may pass an address for use in |
| dev_hard_header. Ensure that it is of sufficient length. |
| |
| Reported-by: syzbot <syzkaller@googlegroups.com> |
| Signed-off-by: Willem de Bruijn <willemb@google.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/packet/af_packet.c | 4 ++++ |
| 1 file changed, 4 insertions(+) |
| |
| --- a/net/packet/af_packet.c |
| +++ b/net/packet/af_packet.c |
| @@ -2662,6 +2662,8 @@ static int tpacket_snd(struct packet_soc |
| proto = saddr->sll_protocol; |
| addr = saddr->sll_addr; |
| dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex); |
| + if (addr && dev && saddr->sll_halen < dev->addr_len) |
| + goto out; |
| } |
| |
| err = -ENXIO; |
| @@ -2859,6 +2861,8 @@ static int packet_snd(struct socket *soc |
| proto = saddr->sll_protocol; |
| addr = saddr->sll_addr; |
| dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex); |
| + if (addr && dev && saddr->sll_halen < dev->addr_len) |
| + goto out; |
| } |
| |
| err = -ENXIO; |
