Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 20a3d5bf authored by Mateusz Jurczyk's avatar Mateusz Jurczyk Committed by David S. Miller
Browse files

caif: Add sockaddr length check before accessing sa_family in connect handler 



Verify that the caller-provided sockaddr structure is large enough to
contain the sa_family field, before accessing it in the connect()
handler of the AF_CAIF socket. Since the syscall doesn't enforce a minimum
size of the corresponding memory region, very short sockaddrs (zero or one
byte long) result in operating on uninitialized memory while referencing
sa_family.

Signed-off-by: default avatarMateusz Jurczyk <mjurczyk@google.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 7de84403

net/caif/caif_socket.c

+4 −0
Original line number Diff line number Diff line
@@ -754,6 +754,10 @@ static int caif_connect(struct socket *sock, struct sockaddr *uaddr, 


	lock_sock(sk);



	err = -EINVAL;

	if (addr_len < offsetofend(struct sockaddr, sa_family))

		goto out;



	err = -EAFNOSUPPORT;

	if (uaddr->sa_family != AF_CAIF)

		goto out;