diff options
| author | Mateusz Jurczyk <mjurczyk@google.com> | 2017-06-13 12:44:28 -0400 |
|---|---|---|
| committer | Samuel Ortiz <sameo@linux.intel.com> | 2017-06-22 18:38:31 -0400 |
| commit | f6a5885fc4d68e7f25ffb42b9d8d80aebb3bacbb (patch) | |
| tree | 829ed516b1f0f3eb98c27cebeaca12eaa11664f6 /net/nfc | |
| parent | 6f874bafacf053b87887f4149fc117e2b1096138 (diff) | |
NFC: Add sockaddr length checks before accessing sa_family in bind handlers
Verify that the caller-provided sockaddr structure is large enough to
contain the sa_family field, before accessing it in bind() handlers of the
AF_NFC socket. Since the syscall doesn't enforce a minimum size of the
corresponding memory region, very short sockaddrs (zero or one byte long)
result in operating on uninitialized memory while referencing .sa_family.
Signed-off-by: Mateusz Jurczyk <mjurczyk@google.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Diffstat (limited to 'net/nfc')
| -rw-r--r-- | net/nfc/llcp_sock.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c index d0d12bea65cb..fb7afcaa3004 100644 --- a/net/nfc/llcp_sock.c +++ b/net/nfc/llcp_sock.c | |||
| @@ -77,7 +77,8 @@ static int llcp_sock_bind(struct socket *sock, struct sockaddr *addr, int alen) | |||
| 77 | struct sockaddr_nfc_llcp llcp_addr; | 77 | struct sockaddr_nfc_llcp llcp_addr; |
| 78 | int len, ret = 0; | 78 | int len, ret = 0; |
| 79 | 79 | ||
| 80 | if (!addr || addr->sa_family != AF_NFC) | 80 | if (!addr || alen < offsetofend(struct sockaddr, sa_family) || |
| 81 | addr->sa_family != AF_NFC) | ||
| 81 | return -EINVAL; | 82 | return -EINVAL; |
| 82 | 83 | ||
| 83 | pr_debug("sk %p addr %p family %d\n", sk, addr, addr->sa_family); | 84 | pr_debug("sk %p addr %p family %d\n", sk, addr, addr->sa_family); |
| @@ -151,7 +152,8 @@ static int llcp_raw_sock_bind(struct socket *sock, struct sockaddr *addr, | |||
| 151 | struct sockaddr_nfc_llcp llcp_addr; | 152 | struct sockaddr_nfc_llcp llcp_addr; |
| 152 | int len, ret = 0; | 153 | int len, ret = 0; |
| 153 | 154 | ||
| 154 | if (!addr || addr->sa_family != AF_NFC) | 155 | if (!addr || alen < offsetofend(struct sockaddr, sa_family) || |
| 156 | addr->sa_family != AF_NFC) | ||
| 155 | return -EINVAL; | 157 | return -EINVAL; |
| 156 | 158 | ||
| 157 | pr_debug("sk %p addr %p family %d\n", sk, addr, addr->sa_family); | 159 | pr_debug("sk %p addr %p family %d\n", sk, addr, addr->sa_family); |