aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChangli Gao <xiaosuo@gmail.com>2010-03-31 18:58:26 -0400
committerDavid S. Miller <davem@davemloft.net>2010-04-01 20:26:01 -0400
commit6503d96168f891ffa3b70ae6c9698a1a722025a0 (patch)
tree9fafcd9eb2c0b3feda0cf4c36e4167ba3028d83a
parenta1d6f3f65512cc90a636e6ec653b7bc9e2238753 (diff)
net: check the length of the socket address passed to connect(2)
check the length of the socket address passed to connect(2). Check the length of the socket address passed to connect(2). If the length is invalid, -EINVAL will be returned. Signed-off-by: Changli Gao <xiaosuo@gmail.com> ---- net/bluetooth/l2cap.c | 3 ++- net/bluetooth/rfcomm/sock.c | 3 ++- net/bluetooth/sco.c | 3 ++- net/can/bcm.c | 3 +++ net/ieee802154/af_ieee802154.c | 3 +++ net/ipv4/af_inet.c | 5 +++++ net/netlink/af_netlink.c | 3 +++ 7 files changed, 20 insertions(+), 3 deletions(-) Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/bluetooth/l2cap.c3
-rw-r--r--net/bluetooth/rfcomm/sock.c3
-rw-r--r--net/bluetooth/sco.c3
-rw-r--r--net/can/bcm.c3
-rw-r--r--net/ieee802154/af_ieee802154.c3
-rw-r--r--net/ipv4/af_inet.c5
-rw-r--r--net/netlink/af_netlink.c3
7 files changed, 20 insertions, 3 deletions
diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
index 7794a2e2adce..99d68c34e4f1 100644
--- a/net/bluetooth/l2cap.c
+++ b/net/bluetooth/l2cap.c
@@ -1002,7 +1002,8 @@ static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int al
1002 1002
1003 BT_DBG("sk %p", sk); 1003 BT_DBG("sk %p", sk);
1004 1004
1005 if (!addr || addr->sa_family != AF_BLUETOOTH) 1005 if (!addr || alen < sizeof(addr->sa_family) ||
1006 addr->sa_family != AF_BLUETOOTH)
1006 return -EINVAL; 1007 return -EINVAL;
1007 1008
1008 memset(&la, 0, sizeof(la)); 1009 memset(&la, 0, sizeof(la));
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index 7f439765403d..8ed3c37684fa 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -397,7 +397,8 @@ static int rfcomm_sock_connect(struct socket *sock, struct sockaddr *addr, int a
397 397
398 BT_DBG("sk %p", sk); 398 BT_DBG("sk %p", sk);
399 399
400 if (addr->sa_family != AF_BLUETOOTH || alen < sizeof(struct sockaddr_rc)) 400 if (alen < sizeof(struct sockaddr_rc) ||
401 addr->sa_family != AF_BLUETOOTH)
401 return -EINVAL; 402 return -EINVAL;
402 403
403 lock_sock(sk); 404 lock_sock(sk);
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index e5b16b76b22e..ca6b2ad1c3fc 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -499,7 +499,8 @@ static int sco_sock_connect(struct socket *sock, struct sockaddr *addr, int alen
499 499
500 BT_DBG("sk %p", sk); 500 BT_DBG("sk %p", sk);
501 501
502 if (addr->sa_family != AF_BLUETOOTH || alen < sizeof(struct sockaddr_sco)) 502 if (alen < sizeof(struct sockaddr_sco) ||
503 addr->sa_family != AF_BLUETOOTH)
503 return -EINVAL; 504 return -EINVAL;
504 505
505 if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) 506 if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND)
diff --git a/net/can/bcm.c b/net/can/bcm.c
index e32af52238a2..629ad1debe81 100644
--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -1478,6 +1478,9 @@ static int bcm_connect(struct socket *sock, struct sockaddr *uaddr, int len,
1478 struct sock *sk = sock->sk; 1478 struct sock *sk = sock->sk;
1479 struct bcm_sock *bo = bcm_sk(sk); 1479 struct bcm_sock *bo = bcm_sk(sk);
1480 1480
1481 if (len < sizeof(*addr))
1482 return -EINVAL;
1483
1481 if (bo->bound) 1484 if (bo->bound)
1482 return -EISCONN; 1485 return -EISCONN;
1483 1486
diff --git a/net/ieee802154/af_ieee802154.c b/net/ieee802154/af_ieee802154.c
index bad1c49fd960..01beb6c11205 100644
--- a/net/ieee802154/af_ieee802154.c
+++ b/net/ieee802154/af_ieee802154.c
@@ -126,6 +126,9 @@ static int ieee802154_sock_connect(struct socket *sock, struct sockaddr *uaddr,
126{ 126{
127 struct sock *sk = sock->sk; 127 struct sock *sk = sock->sk;
128 128
129 if (addr_len < sizeof(uaddr->sa_family))
130 return -EINVAL;
131
129 if (uaddr->sa_family == AF_UNSPEC) 132 if (uaddr->sa_family == AF_UNSPEC)
130 return sk->sk_prot->disconnect(sk, flags); 133 return sk->sk_prot->disconnect(sk, flags);
131 134
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index 33b7dffa7732..a366861bf4cd 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -530,6 +530,8 @@ int inet_dgram_connect(struct socket *sock, struct sockaddr * uaddr,
530{ 530{
531 struct sock *sk = sock->sk; 531 struct sock *sk = sock->sk;
532 532
533 if (addr_len < sizeof(uaddr->sa_family))
534 return -EINVAL;
533 if (uaddr->sa_family == AF_UNSPEC) 535 if (uaddr->sa_family == AF_UNSPEC)
534 return sk->sk_prot->disconnect(sk, flags); 536 return sk->sk_prot->disconnect(sk, flags);
535 537
@@ -573,6 +575,9 @@ int inet_stream_connect(struct socket *sock, struct sockaddr *uaddr,
573 int err; 575 int err;
574 long timeo; 576 long timeo;
575 577
578 if (addr_len < sizeof(uaddr->sa_family))
579 return -EINVAL;
580
576 lock_sock(sk); 581 lock_sock(sk);
577 582
578 if (uaddr->sa_family == AF_UNSPEC) { 583 if (uaddr->sa_family == AF_UNSPEC) {
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index acbbae1e89b5..795424396aff 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -683,6 +683,9 @@ static int netlink_connect(struct socket *sock, struct sockaddr *addr,
683 struct netlink_sock *nlk = nlk_sk(sk); 683 struct netlink_sock *nlk = nlk_sk(sk);
684 struct sockaddr_nl *nladdr = (struct sockaddr_nl *)addr; 684 struct sockaddr_nl *nladdr = (struct sockaddr_nl *)addr;
685 685
686 if (alen < sizeof(addr->sa_family))
687 return -EINVAL;
688
686 if (addr->sa_family == AF_UNSPEC) { 689 if (addr->sa_family == AF_UNSPEC) {
687 sk->sk_state = NETLINK_UNCONNECTED; 690 sk->sk_state = NETLINK_UNCONNECTED;
688 nlk->dst_pid = 0; 691 nlk->dst_pid = 0;