diff options
| author | Allan Stephens <Allan.Stephens@windriver.com> | 2011-01-18 13:09:29 -0500 |
|---|---|---|
| committer | Paul Gortmaker <paul.gortmaker@windriver.com> | 2011-02-23 18:05:07 -0500 |
| commit | 3f8dd9446e66f2a982ddcff38e4705cfe93eeec6 (patch) | |
| tree | 2ed15933e1e6825c208113eac4605ac2850117df /net/tipc | |
| parent | 4132facae1df653b5a78e0e32956218199026812 (diff) | |
tipc: Prevent invalid memory access when sending to configuration service
Reject TIPC configuration service messages without a full message
header. Previously, an application that sent a message to the
configuration service that was too short could cause the validation
code to access an uninitialized field in the msghdr structure,
resulting in a memory access exception.
Signed-off-by: Allan Stephens <Allan.Stephens@windriver.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Diffstat (limited to 'net/tipc')
| -rw-r--r-- | net/tipc/socket.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/net/tipc/socket.c b/net/tipc/socket.c index 893ca6eb5b41..125dcb0737b2 100644 --- a/net/tipc/socket.c +++ b/net/tipc/socket.c | |||
| @@ -493,6 +493,8 @@ static int dest_name_check(struct sockaddr_tipc *dest, struct msghdr *m) | |||
| 493 | if (likely(dest->addr.name.name.type != TIPC_CFG_SRV)) | 493 | if (likely(dest->addr.name.name.type != TIPC_CFG_SRV)) |
| 494 | return -EACCES; | 494 | return -EACCES; |
| 495 | 495 | ||
| 496 | if (!m->msg_iovlen || (m->msg_iov[0].iov_len < sizeof(hdr))) | ||
| 497 | return -EMSGSIZE; | ||
| 496 | if (copy_from_user(&hdr, m->msg_iov[0].iov_base, sizeof(hdr))) | 498 | if (copy_from_user(&hdr, m->msg_iov[0].iov_base, sizeof(hdr))) |
| 497 | return -EFAULT; | 499 | return -EFAULT; |
| 498 | if ((ntohs(hdr.tcm_type) & 0xC000) && (!capable(CAP_NET_ADMIN))) | 500 | if ((ntohs(hdr.tcm_type) & 0xC000) && (!capable(CAP_NET_ADMIN))) |