| From 8ff41cc21714704ef0158a546c3c4d07fae2c952 Mon Sep 17 00:00:00 2001 |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| Date: Tue, 30 Jun 2020 14:46:15 +0300 |
| Subject: net: qrtr: Fix an out of bounds read qrtr_endpoint_post() |
| |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| |
| commit 8ff41cc21714704ef0158a546c3c4d07fae2c952 upstream. |
| |
| This code assumes that the user passed in enough data for a |
| qrtr_hdr_v1 or qrtr_hdr_v2 struct, but it's not necessarily true. If |
| the buffer is too small then it will read beyond the end. |
| |
| Reported-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org> |
| Reported-by: syzbot+b8fe393f999a291a9ea6@syzkaller.appspotmail.com |
| Fixes: 194ccc88297a ("net: qrtr: Support decoding incoming v2 packets") |
| Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| net/qrtr/qrtr.c | 6 +++++- |
| 1 file changed, 5 insertions(+), 1 deletion(-) |
| |
| --- a/net/qrtr/qrtr.c |
| +++ b/net/qrtr/qrtr.c |
| @@ -259,7 +259,7 @@ int qrtr_endpoint_post(struct qrtr_endpo |
| unsigned int ver; |
| size_t hdrlen; |
| |
| - if (len & 3) |
| + if (len == 0 || len & 3) |
| return -EINVAL; |
| |
| skb = netdev_alloc_skb(NULL, len); |
| @@ -273,6 +273,8 @@ int qrtr_endpoint_post(struct qrtr_endpo |
| |
| switch (ver) { |
| case QRTR_PROTO_VER_1: |
| + if (len < sizeof(*v1)) |
| + goto err; |
| v1 = data; |
| hdrlen = sizeof(*v1); |
| |
| @@ -286,6 +288,8 @@ int qrtr_endpoint_post(struct qrtr_endpo |
| size = le32_to_cpu(v1->size); |
| break; |
| case QRTR_PROTO_VER_2: |
| + if (len < sizeof(*v2)) |
| + goto err; |
| v2 = data; |
| hdrlen = sizeof(*v2) + v2->optlen; |
| |
