econet: disallow NULL remote addr for sendmsg(), fixes CVE-2010-3849

Later parts of econet_sendmsg() rely on saddr != NULL, so return early with EINVAL if NULL was passed otherwise an oops may occur. Signed-off-by: Phil Blundell <philb@gnu.org> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Phil Blundell <philb@gnu.org> 2010-11-24 14:49:19 -0500
committer: David S. Miller <davem@davemloft.net> 2010-11-24 14:49:19 -0500
commit: fa0e846494792e722d817b9d3d625a4ef4896c96 (patch)
tree: 0e842037f9f48fe0974fe854f7f2d13b69f23c7f
parent: c39508d6f118308355468314ff414644115a07f3 (diff)
1 files changed, 8 insertions, 18 deletions
diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
index f8c1ae4b41f0..e366f1bef91f 100644
--- a/net/econet/af_econet.c
+++ b/net/econet/af_econet.c
@@ -297,23 +297,14 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
        mutex_lock(&econet_mutex);
-        if (saddr == NULL) {
+        if (saddr == NULL || msg->msg_namelen < sizeof(struct sockaddr_ec)) {
-                struct econet_sock *eo = ec_sk(sk);
+                mutex_unlock(&econet_mutex);
+                return -EINVAL;
-                addr.station = eo->station;
+        }
-                addr.net     = eo->net;
+        addr.station = saddr->addr.station;
-                port         = eo->port;
+        addr.net = saddr->addr.net;
-                cb           = eo->cb;
+        port = saddr->port;
-        } else {
+        cb = saddr->cb;
-                if (msg->msg_namelen < sizeof(struct sockaddr_ec)) {
-                        mutex_unlock(&econet_mutex);
-                        return -EINVAL;
-                }
-                addr.station = saddr->addr.station;
-                addr.net = saddr->addr.net;
-                port = saddr->port;
-                cb = saddr->cb;
-        }
        /* Look for a device with the right network number. */
        dev = net2dev_map[addr.net];
@@ -351,7 +342,6 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
                eb = (struct ec_cb *)&skb->cb;
-                /* BUG: saddr may be NULL */
                eb->cookie = saddr->cookie;
                eb->sec = *saddr;
                eb->sent = ec_tx_done;
author	Phil Blundell <philb@gnu.org>	2010-11-24 14:49:19 -0500
committer	David S. Miller <davem@davemloft.net>	2010-11-24 14:49:19 -0500
commit	fa0e846494792e722d817b9d3d625a4ef4896c96 (patch)
tree	0e842037f9f48fe0974fe854f7f2d13b69f23c7f
parent	c39508d6f118308355468314ff414644115a07f3 (diff)

diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c index f8c1ae4b41f0..e366f1bef91f 100644 --- a/net/econet/af_econet.c +++ b/net/econet/af_econet.c
@@ -297,23 +297,14 @@ static int econet_sendmsg(struct kiocb iocb, struct socket sock,
297		297
298	mutex_lock(&econet_mutex);	298	mutex_lock(&econet_mutex);
299		299
300	if (saddr == NULL) {	300	if (saddr == NULL \|\| msg->msg_namelen < sizeof(struct sockaddr_ec)) {
301	struct econet_sock *eo = ec_sk(sk);	301	mutex_unlock(&econet_mutex);
302		302	return -EINVAL;
303	addr.station = eo->station;	303	}
304	addr.net = eo->net;	304	addr.station = saddr->addr.station;
305	port = eo->port;	305	addr.net = saddr->addr.net;
306	cb = eo->cb;	306	port = saddr->port;
307	} else {	307	cb = saddr->cb;
308	if (msg->msg_namelen < sizeof(struct sockaddr_ec)) {
309	mutex_unlock(&econet_mutex);
310	return -EINVAL;
311	}
312	addr.station = saddr->addr.station;
313	addr.net = saddr->addr.net;
314	port = saddr->port;
315	cb = saddr->cb;
316	}
317		308
318	/* Look for a device with the right network number. */	309	/* Look for a device with the right network number. */
319	dev = net2dev_map[addr.net];	310	dev = net2dev_map[addr.net];
@@ -351,7 +342,6 @@ static int econet_sendmsg(struct kiocb iocb, struct socket sock,
351		342
352	eb = (struct ec_cb *)&skb->cb;	343	eb = (struct ec_cb *)&skb->cb;
353		344
354	/* BUG: saddr may be NULL */
355	eb->cookie = saddr->cookie;	345	eb->cookie = saddr->cookie;
356	eb->sec = *saddr;	346	eb->sec = *saddr;
357	eb->sent = ec_tx_done;	347	eb->sent = ec_tx_done;