Commit e3c42b61 authored by Mateusz Jurczyk's avatar Mateusz Jurczyk Committed by David S. Miller

af_iucv: Move sockaddr length checks to before accessing sa_family in bind and connect handlers

Verify that the caller-provided sockaddr structure is large enough to
contain the sa_family field, before accessing it in bind() and connect()
handlers of the AF_IUCV socket. Since neither syscall enforces a minimum
size of the corresponding memory region, very short sockaddrs (zero or
one byte long) result in operating on uninitialized memory while
referencing .sa_family.

Fixes: 52a82e23 ("af_iucv: Validate socket address length in iucv_sock_bind()")
Signed-off-by: default avatarMateusz Jurczyk <mjurczyk@google.com>
[jwi: removed unneeded null-check for addr]
Signed-off-by: default avatarJulian Wiedmann <jwi@linux.vnet.ibm.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 2e56c26b
...@@ -715,10 +715,8 @@ static int iucv_sock_bind(struct socket *sock, struct sockaddr *addr, ...@@ -715,10 +715,8 @@ static int iucv_sock_bind(struct socket *sock, struct sockaddr *addr,
char uid[9]; char uid[9];
/* Verify the input sockaddr */ /* Verify the input sockaddr */
if (!addr || addr->sa_family != AF_IUCV) if (addr_len < sizeof(struct sockaddr_iucv) ||
return -EINVAL; addr->sa_family != AF_IUCV)
if (addr_len < sizeof(struct sockaddr_iucv))
return -EINVAL; return -EINVAL;
lock_sock(sk); lock_sock(sk);
...@@ -862,7 +860,7 @@ static int iucv_sock_connect(struct socket *sock, struct sockaddr *addr, ...@@ -862,7 +860,7 @@ static int iucv_sock_connect(struct socket *sock, struct sockaddr *addr,
struct iucv_sock *iucv = iucv_sk(sk); struct iucv_sock *iucv = iucv_sk(sk);
int err; int err;
if (addr->sa_family != AF_IUCV || alen < sizeof(struct sockaddr_iucv)) if (alen < sizeof(struct sockaddr_iucv) || addr->sa_family != AF_IUCV)
return -EINVAL; return -EINVAL;
if (sk->sk_state != IUCV_OPEN && sk->sk_state != IUCV_BOUND) if (sk->sk_state != IUCV_OPEN && sk->sk_state != IUCV_BOUND)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment