Commit 6503d96168f891ffa3b70ae6c9698a1a722025a0

Authored by Changli Gao
Committed by David S. Miller
1 parent a1d6f3f655

net: check the length of the socket address passed to connect(2)

check the length of the socket address passed to connect(2).

Check the length of the socket address passed to connect(2). If the
length is invalid, -EINVAL will be returned.

Signed-off-by: Changli Gao <xiaosuo@gmail.com>
----
net/bluetooth/l2cap.c | 3 ++-
net/bluetooth/rfcomm/sock.c | 3 ++-
net/bluetooth/sco.c | 3 ++-
net/can/bcm.c | 3 +++
net/ieee802154/af_ieee802154.c | 3 +++
net/ipv4/af_inet.c | 5 +++++
net/netlink/af_netlink.c | 3 +++
7 files changed, 20 insertions(+), 3 deletions(-)
Signed-off-by: David S. Miller <davem@davemloft.net>

Showing 7 changed files with 20 additions and 3 deletions Side-by-side Diff

net/bluetooth/l2cap.c
... ... @@ -1002,7 +1002,8 @@
1002 1002  
1003 1003 BT_DBG("sk %p", sk);
1004 1004  
1005   - if (!addr || addr->sa_family != AF_BLUETOOTH)
  1005 + if (!addr || alen < sizeof(addr->sa_family) ||
  1006 + addr->sa_family != AF_BLUETOOTH)
1006 1007 return -EINVAL;
1007 1008  
1008 1009 memset(&la, 0, sizeof(la));
net/bluetooth/rfcomm/sock.c
... ... @@ -397,7 +397,8 @@
397 397  
398 398 BT_DBG("sk %p", sk);
399 399  
400   - if (addr->sa_family != AF_BLUETOOTH || alen < sizeof(struct sockaddr_rc))
  400 + if (alen < sizeof(struct sockaddr_rc) ||
  401 + addr->sa_family != AF_BLUETOOTH)
401 402 return -EINVAL;
402 403  
403 404 lock_sock(sk);
... ... @@ -499,7 +499,8 @@
499 499  
500 500 BT_DBG("sk %p", sk);
501 501  
502   - if (addr->sa_family != AF_BLUETOOTH || alen < sizeof(struct sockaddr_sco))
  502 + if (alen < sizeof(struct sockaddr_sco) ||
  503 + addr->sa_family != AF_BLUETOOTH)
503 504 return -EINVAL;
504 505  
505 506 if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND)
... ... @@ -1478,6 +1478,9 @@
1478 1478 struct sock *sk = sock->sk;
1479 1479 struct bcm_sock *bo = bcm_sk(sk);
1480 1480  
  1481 + if (len < sizeof(*addr))
  1482 + return -EINVAL;
  1483 +
1481 1484 if (bo->bound)
1482 1485 return -EISCONN;
1483 1486  
net/ieee802154/af_ieee802154.c
... ... @@ -126,6 +126,9 @@
126 126 {
127 127 struct sock *sk = sock->sk;
128 128  
  129 + if (addr_len < sizeof(uaddr->sa_family))
  130 + return -EINVAL;
  131 +
129 132 if (uaddr->sa_family == AF_UNSPEC)
130 133 return sk->sk_prot->disconnect(sk, flags);
131 134  
... ... @@ -530,6 +530,8 @@
530 530 {
531 531 struct sock *sk = sock->sk;
532 532  
  533 + if (addr_len < sizeof(uaddr->sa_family))
  534 + return -EINVAL;
533 535 if (uaddr->sa_family == AF_UNSPEC)
534 536 return sk->sk_prot->disconnect(sk, flags);
535 537  
... ... @@ -572,6 +574,9 @@
572 574 struct sock *sk = sock->sk;
573 575 int err;
574 576 long timeo;
  577 +
  578 + if (addr_len < sizeof(uaddr->sa_family))
  579 + return -EINVAL;
575 580  
576 581 lock_sock(sk);
577 582  
net/netlink/af_netlink.c
... ... @@ -683,6 +683,9 @@
683 683 struct netlink_sock *nlk = nlk_sk(sk);
684 684 struct sockaddr_nl *nladdr = (struct sockaddr_nl *)addr;
685 685  
  686 + if (alen < sizeof(addr->sa_family))
  687 + return -EINVAL;
  688 +
686 689 if (addr->sa_family == AF_UNSPEC) {
687 690 sk->sk_state = NETLINK_UNCONNECTED;
688 691 nlk->dst_pid = 0;