Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / 3f8dd9446e66f2a982ddcff38e4705cfe93eeec6^! / . / net / tipc / socket.c
commit3f8dd9446e66f2a982ddcff38e4705cfe93eeec6[log] [tgz]
authorAllan Stephens <Allan.Stephens@windriver.com>Tue Jan 18 13:09:29 2011 -0500
committerPaul Gortmaker <paul.gortmaker@windriver.com>Wed Feb 23 18:05:07 2011 -0500
tree2ed15933e1e6825c208113eac4605ac2850117df
parent4132facae1df653b5a78e0e32956218199026812 [diff] [blame]
tipc: Prevent invalid memory access when sending to configuration service

Reject TIPC configuration service messages without a full message
header.  Previously, an application that sent a message to the
configuration service that was too short could cause the validation
code to access an uninitialized field in the msghdr structure,
resulting in a memory access exception.

Signed-off-by: Allan Stephens <Allan.Stephens@windriver.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index 893ca6e..125dcb0 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c

@@ -493,6 +493,8 @@
 	if (likely(dest->addr.name.name.type != TIPC_CFG_SRV))
 		return -EACCES;
 
+	if (!m->msg_iovlen || (m->msg_iov[0].iov_len < sizeof(hdr)))
+		return -EMSGSIZE;
 	if (copy_from_user(&hdr, m->msg_iov[0].iov_base, sizeof(hdr)))
 		return -EFAULT;
 	if ((ntohs(hdr.tcm_type) & 0xC000) && (!capable(CAP_NET_ADMIN)))