From ac374b5dd91ceb85b3204816893dd3dcd63e9276 Mon Sep 17 00:00:00 2001
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date: Tue, 21 May 2019 13:53:02 +0000
Subject: [PATCH] udpv6: Check address length before reading address family

mainline inclusion
from mainline-5.1-rc6
commit bddc028a4f2a
category: bugfix
bugzilla: 14101
CVE: NA

-------------------------------------------------

KMSAN will complain if valid address length passed to udpv6_pre_connect()
is shorter than sizeof("struct sockaddr"->sa_family) bytes.

(This patch is bogus if it is guaranteed that udpv6_pre_connect() is
always called after checking "struct sockaddr"->sa_family. In that case,
we want a comment why we don't need to check valid address length here.)

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: Song Liu <songliubraving@fb.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Shijie Luo <luoshijie1@huawei.com>
Reviewed-by: Yue Haibing <yuehaibing@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
---
 net/ipv6/udp.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index e360b51f95c8..c8a66a888f65 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -967,6 +967,8 @@ static void udp_v6_flush_pending_frames(struct sock *sk)
 static int udpv6_pre_connect(struct sock *sk, struct sockaddr *uaddr,
 			     int addr_len)
 {
+	if (addr_len < offsetofend(struct sockaddr, sa_family))
+		return -EINVAL;
 	/* The following checks are replicated from __ip6_datagram_connect()
 	 * and intended to prevent BPF program called below from accessing
 	 * bytes that are out of the bound specified by user in addr_len.
-- 
GitLab