[PATCH 4.14 02/14] AX.25: Prevent out-of-bounds read in ax25_sendmsg()

30 Jul 2020

From: Peilin Ye yepeilin.cs@gmail.com
[ Upstream commit 8885bb0621f01a6c82be60a91e5fc0f6e2f71186 ]
Checks on `addr_len` and `usax->sax25_ndigis` are insufficient.
ax25_sendmsg() can go out of bounds when `usax->sax25_ndigis` equals to 7
or 8. Fix it.
It is safe to remove `usax->sax25_ndigis > AX25_MAX_DIGIS`, since
`addr_len` is guaranteed to be less than or equal to
`sizeof(struct full_sockaddr_ax25)`
Signed-off-by: Peilin Ye yepeilin.cs@gmail.com
Signed-off-by: David S. Miller davem@davemloft.net
Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
---
 net/ax25/af_ax25.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -1513,7 +1513,8 @@ static int ax25_sendmsg(struct socket *s
    		struct full_sockaddr_ax25 *fsa = (struct full_sockaddr_ax25 *)usax;
/* Valid number of digipeaters ? */
-			if (usax->sax25_ndigis < 1 || usax->sax25_ndigis > AX25_MAX_DIGIS) {
+			if (usax->sax25_ndigis < 1 || addr_len < sizeof(struct sockaddr_ax25) +
+			    sizeof(ax25_address) * usax->sax25_ndigis) {
    			err = -EINVAL;
    			goto out;
    		}

    

2024

2023

2022

2021

2020

2019

2018

2017

[PATCH 4.14 02/14] AX.25: Prevent out-of-bounds read in ax25_sendmsg()