From: Dan Carpenter dan.carpenter@oracle.com
commit 8ff41cc21714704ef0158a546c3c4d07fae2c952 upstream.
This code assumes that the user passed in enough data for a qrtr_hdr_v1 or qrtr_hdr_v2 struct, but it's not necessarily true. If the buffer is too small then it will read beyond the end.
Reported-by: Manivannan Sadhasivam manivannan.sadhasivam@linaro.org Reported-by: syzbot+b8fe393f999a291a9ea6@syzkaller.appspotmail.com Fixes: 194ccc88297a ("net: qrtr: Support decoding incoming v2 packets") Signed-off-by: Dan Carpenter dan.carpenter@oracle.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- net/qrtr/qrtr.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)
--- a/net/qrtr/qrtr.c +++ b/net/qrtr/qrtr.c @@ -259,7 +259,7 @@ int qrtr_endpoint_post(struct qrtr_endpo unsigned int ver; size_t hdrlen;
- if (len & 3) + if (len == 0 || len & 3) return -EINVAL;
skb = netdev_alloc_skb(NULL, len); @@ -273,6 +273,8 @@ int qrtr_endpoint_post(struct qrtr_endpo
switch (ver) { case QRTR_PROTO_VER_1: + if (len < sizeof(*v1)) + goto err; v1 = data; hdrlen = sizeof(*v1);
@@ -286,6 +288,8 @@ int qrtr_endpoint_post(struct qrtr_endpo size = le32_to_cpu(v1->size); break; case QRTR_PROTO_VER_2: + if (len < sizeof(*v2)) + goto err; v2 = data; hdrlen = sizeof(*v2) + v2->optlen;