From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-bn3nam01on0094.outbound.protection.outlook.com ([104.47.33.94]:21055 "EHLO NAM01-BN3-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1756336AbeDIAjo (ORCPT ); Sun, 8 Apr 2018 20:39:44 -0400 From: Sasha Levin To: "stable@vger.kernel.org" , "linux-kernel@vger.kernel.org" CC: Mateusz Jurczyk , "David S . Miller" , Sasha Levin Subject: [PATCH AUTOSEL for 3.18 028/101] caif: Add sockaddr length check before accessing sa_family in connect handler Date: Mon, 9 Apr 2018 00:35:37 +0000 Message-ID: <20180409003505.164715-28-alexander.levin@microsoft.com> References: <20180409003505.164715-1-alexander.levin@microsoft.com> In-Reply-To: <20180409003505.164715-1-alexander.levin@microsoft.com> Content-Language: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org List-ID: From: Mateusz Jurczyk [ Upstream commit 20a3d5bf5e5b13c02450ab6178ec374abd830686 ] Verify that the caller-provided sockaddr structure is large enough to contain the sa_family field, before accessing it in the connect() handler of the AF_CAIF socket. Since the syscall doesn't enforce a minimum size of the corresponding memory region, very short sockaddrs (zero or one byte long) result in operating on uninitialized memory while referencing sa_family. Signed-off-by: Mateusz Jurczyk Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/caif/caif_socket.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c index 5e10ee0efffb..40389e5b8b32 100644 --- a/net/caif/caif_socket.c +++ b/net/caif/caif_socket.c @@ -758,6 +758,10 @@ static int caif_connect(struct socket *sock, struct so= ckaddr *uaddr, =20 lock_sock(sk); =20 + err =3D -EINVAL; + if (addr_len < offsetofend(struct sockaddr, sa_family)) + goto out; + err =3D -EAFNOSUPPORT; if (uaddr->sa_family !=3D AF_CAIF) goto out; --=20 2.15.1