sctp: Check address length before reading address family

mainline inclusion from mainline-5.1-rc6 commit 175f7c1f01d3 category: bugfix bugzilla: 14097 CVE: NA ------------------------------------------------- KMSAN will complain if valid address length passed to connect() is shorter than sizeof("struct sockaddr"->sa_family) bytes. Signed-off-by: N Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Acked-by: N Neil Horman <nhorman@tuxdriver.com> Signed-off-by: N David S. Miller <davem@davemloft.net> Signed-off-by: N Zhiqiang Liu <liuzhiqiang26@huawei.com> Reviewed-by: N Wenan Mao <maowenan@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>

sctp: Check address length before reading address family
mainline inclusion from mainline-5.1-rc6 commit 175f7c1f01d3 category: bugfix bugzilla: 14097 CVE: NA ------------------------------------------------- KMSAN will complain if valid address length passed to connect() is shorter than sizeof("struct sockaddr"->sa_family) bytes. Signed-off-by: N Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Acked-by: N Neil Horman <nhorman@tuxdriver.com> Signed-off-by: N David S. Miller <davem@davemloft.net> Signed-off-by: N Zhiqiang Liu <liuzhiqiang26@huawei.com> Reviewed-by: N Wenan Mao <maowenan@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>
3ce072db · Tetsuo Handa · Xie XiuQi · 6c566167 · 3ce072db
隐藏空白更改
内联并排

Showing with 2 addition and 1 deletion

net/sctp/socket.c net/sctp/socket.c +2 -1

未找到文件。
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -4529,7 +4529,8 @@ static int sctp_connect(struct sock *sk, struct sockaddr *addr,
 	}
 	/* Validate addr_len before calling common connect/connectx routine. */
-	af = sctp_get_af_specific(addr->sa_family);
+	af = addr_len < offsetofend(struct sockaddr, sa_family) ? NULL :
+		sctp_get_af_specific(addr->sa_family);
 	if (!af || addr_len < af->sockaddr_len) {
 		err = -EINVAL;
 	} else {