caif: Add sockaddr length check before accessing sa_family in connect handler
Verify that the caller-provided sockaddr structure is large enough to contain the sa_family field, before accessing it in the connect() handler of the AF_CAIF socket. Since the syscall doesn't enforce a minimum size of the corresponding memory region, very short sockaddrs (zero or one byte long) result in operating on uninitialized memory while referencing sa_family. Change-Id: I19e8282cf2d2acf418d69f2380b319203fd23a84 Signed-off-by: Mateusz Jurczyk <mjurczyk@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
This commit is contained in:
parent
cb74d8b8f0
commit
47644ea6cf
|
@ -760,6 +760,10 @@ static int caif_connect(struct socket *sock, struct sockaddr *uaddr,
|
|||
|
||||
lock_sock(sk);
|
||||
|
||||
err = -EINVAL;
|
||||
if (addr_len < offsetofend(struct sockaddr, sa_family))
|
||||
goto out;
|
||||
|
||||
err = -EAFNOSUPPORT;
|
||||
if (uaddr->sa_family != AF_CAIF)
|
||||
goto out;
|
||||
|
|
Loading…
Reference in New Issue