summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAllan Stephens <Allan.Stephens@windriver.com>2011-01-18 19:09:29 +0100
committerPaul Gortmaker <paul.gortmaker@windriver.com>2011-02-24 00:05:07 +0100
commit3f8dd9446e66f2a982ddcff38e4705cfe93eeec6 (patch)
tree2ed15933e1e6825c208113eac4605ac2850117df
parenttipc: Remove unused global variable tipc_user_count (diff)
downloadlinux-3f8dd9446e66f2a982ddcff38e4705cfe93eeec6.tar.xz
linux-3f8dd9446e66f2a982ddcff38e4705cfe93eeec6.zip
tipc: Prevent invalid memory access when sending to configuration service
Reject TIPC configuration service messages without a full message header. Previously, an application that sent a message to the configuration service that was too short could cause the validation code to access an uninitialized field in the msghdr structure, resulting in a memory access exception. Signed-off-by: Allan Stephens <Allan.Stephens@windriver.com> Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
-rw-r--r--net/tipc/socket.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index 893ca6eb5b41..125dcb0737b2 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -493,6 +493,8 @@ static int dest_name_check(struct sockaddr_tipc *dest, struct msghdr *m)
if (likely(dest->addr.name.name.type != TIPC_CFG_SRV))
return -EACCES;
+ if (!m->msg_iovlen || (m->msg_iov[0].iov_len < sizeof(hdr)))
+ return -EMSGSIZE;
if (copy_from_user(&hdr, m->msg_iov[0].iov_base, sizeof(hdr)))
return -EFAULT;
if ((ntohs(hdr.tcm_type) & 0xC000) && (!capable(CAP_NET_ADMIN)))