Commit 6503d96168f891ffa3b70ae6c9698a1a722025a0
Committed by
David S. Miller
1 parent
a1d6f3f655
Exists in
master
and in
39 other branches
net: check the length of the socket address passed to connect(2)
check the length of the socket address passed to connect(2). Check the length of the socket address passed to connect(2). If the length is invalid, -EINVAL will be returned. Signed-off-by: Changli Gao <xiaosuo@gmail.com> ---- net/bluetooth/l2cap.c | 3 ++- net/bluetooth/rfcomm/sock.c | 3 ++- net/bluetooth/sco.c | 3 ++- net/can/bcm.c | 3 +++ net/ieee802154/af_ieee802154.c | 3 +++ net/ipv4/af_inet.c | 5 +++++ net/netlink/af_netlink.c | 3 +++ 7 files changed, 20 insertions(+), 3 deletions(-) Signed-off-by: David S. Miller <davem@davemloft.net>
Showing 7 changed files with 20 additions and 3 deletions Side-by-side Diff
net/bluetooth/l2cap.c
... | ... | @@ -1002,7 +1002,8 @@ |
1002 | 1002 | |
1003 | 1003 | BT_DBG("sk %p", sk); |
1004 | 1004 | |
1005 | - if (!addr || addr->sa_family != AF_BLUETOOTH) | |
1005 | + if (!addr || alen < sizeof(addr->sa_family) || | |
1006 | + addr->sa_family != AF_BLUETOOTH) | |
1006 | 1007 | return -EINVAL; |
1007 | 1008 | |
1008 | 1009 | memset(&la, 0, sizeof(la)); |
net/bluetooth/rfcomm/sock.c
net/bluetooth/sco.c
... | ... | @@ -499,7 +499,8 @@ |
499 | 499 | |
500 | 500 | BT_DBG("sk %p", sk); |
501 | 501 | |
502 | - if (addr->sa_family != AF_BLUETOOTH || alen < sizeof(struct sockaddr_sco)) | |
502 | + if (alen < sizeof(struct sockaddr_sco) || | |
503 | + addr->sa_family != AF_BLUETOOTH) | |
503 | 504 | return -EINVAL; |
504 | 505 | |
505 | 506 | if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) |
net/can/bcm.c
net/ieee802154/af_ieee802154.c
net/ipv4/af_inet.c
... | ... | @@ -530,6 +530,8 @@ |
530 | 530 | { |
531 | 531 | struct sock *sk = sock->sk; |
532 | 532 | |
533 | + if (addr_len < sizeof(uaddr->sa_family)) | |
534 | + return -EINVAL; | |
533 | 535 | if (uaddr->sa_family == AF_UNSPEC) |
534 | 536 | return sk->sk_prot->disconnect(sk, flags); |
535 | 537 | |
... | ... | @@ -572,6 +574,9 @@ |
572 | 574 | struct sock *sk = sock->sk; |
573 | 575 | int err; |
574 | 576 | long timeo; |
577 | + | |
578 | + if (addr_len < sizeof(uaddr->sa_family)) | |
579 | + return -EINVAL; | |
575 | 580 | |
576 | 581 | lock_sock(sk); |
577 | 582 |
net/netlink/af_netlink.c
... | ... | @@ -683,6 +683,9 @@ |
683 | 683 | struct netlink_sock *nlk = nlk_sk(sk); |
684 | 684 | struct sockaddr_nl *nladdr = (struct sockaddr_nl *)addr; |
685 | 685 | |
686 | + if (alen < sizeof(addr->sa_family)) | |
687 | + return -EINVAL; | |
688 | + | |
686 | 689 | if (addr->sa_family == AF_UNSPEC) { |
687 | 690 | sk->sk_state = NETLINK_UNCONNECTED; |
688 | 691 | nlk->dst_pid = 0; |