tipc: Prevent invalid memory access when sending to configuration service

Reject TIPC configuration service messages without a full message header. Previously, an application that sent a message to the configuration service that was too short could cause the validation code to access an uninitialized field in the msghdr structure, resulting in a memory access exception. Signed-off-by: Allan Stephens <Allan.Stephens@windriver.com> Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

tipc: Prevent invalid memory access when sending to configuration service
Reject TIPC configuration service messages without a full message header. Previously, an application that sent a message to the configuration service that was too short could cause the validation code to access an uninitialized field in the msghdr structure, resulting in a memory access exception. Signed-off-by: Allan Stephens <Allan.Stephens@windriver.com> Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
3f8dd944 · Allan Stephens · Paul Gortmaker · 4132faca · 3f8dd944
Commit 3f8dd944 authored Jan 18, 2011 by Allan Stephens Committed by Paul Gortmaker Feb 23, 2011
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 0 deletions

net/tipc/socket.c net/tipc/socket.c +2 -0

No files found.
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -493,6 +493,8 @@ static int dest_name_check(struct sockaddr_tipc *dest, struct msghdr *m)
 	if (likely(dest->addr.name.name.type != TIPC_CFG_SRV))
 		return -EACCES;
+	if (!m->msg_iovlen || (m->msg_iov[0].iov_len < sizeof(hdr)))
+		return -EMSGSIZE;
 	if (copy_from_user(&hdr, m->msg_iov[0].iov_base, sizeof(hdr)))
 		return -EFAULT;
 	if ((ntohs(hdr.tcm_type) & 0xC000) && (!capable(CAP_NET_ADMIN)))