Commit 02889ec6 authored Jul 22, 2020 by Peilin Ye Committed by Greg Kroah-Hartman Jul 31, 2020

AX.25: Prevent out-of-bounds read in ax25_sendmsg()



[ Upstream commit 8885bb0621f01a6c82be60a91e5fc0f6e2f71186 ]

Checks on `addr_len` and `usax->sax25_ndigis` are insufficient.
ax25_sendmsg() can go out of bounds when `usax->sax25_ndigis` equals to 7
or 8. Fix it.

It is safe to remove `usax->sax25_ndigis > AX25_MAX_DIGIS`, since
`addr_len` is guaranteed to be less than or equal to
`sizeof(struct full_sockaddr_ax25)`

Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent b1cd0a68

net/ax25/af_ax25.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -1512,7 +1512,8 @@ static int ax25_sendmsg(struct socket sock, struct msghdr msg, size_t len)
		struct full_sockaddr_ax25 fsa = (struct full_sockaddr_ax25 )usax;

		/* Valid number of digipeaters ? */
		if (usax->sax25_ndigis < 1 \|\| usax->sax25_ndigis > AX25_MAX_DIGIS) {
		if (usax->sax25_ndigis < 1 \|\| addr_len < sizeof(struct sockaddr_ax25) +
		sizeof(ax25_address) * usax->sax25_ndigis) {
		err = -EINVAL;
		goto out;
		}