diff mbox series

[RFC,v1,01/10] net: qrtr: ns: validate msglen before ctrl_pkt use

Message ID 20241018181842.1368394-2-denkenz@gmail.com (mailing list archive)
State RFC
Delegated to: Netdev Maintainers
Headers show
Series QRTR Multi-endpoint support | expand

Checks

Context Check Description
netdev/series_format warning Target tree name not specified in the subject
netdev/tree_selection success Guessed tree name to be net-next, async
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 5 this patch: 5
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers success CCed 6 of 6 maintainers
netdev/build_clang success Errors and warnings before: 3 this patch: 3
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 4 this patch: 4
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 9 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Denis Kenzior Oct. 18, 2024, 6:18 p.m. UTC 
The qrtr_ctrl_pkt structure is currently accessed without checking
if the received payload is large enough to hold the structure's fields.
Add a check to ensure the payload length is sufficient.

Signed-off-by: Denis Kenzior <denkenz@gmail.com>
Reviewed-by: Marcel Holtmann <marcel@holtmann.org>
Reviewed-by: Andy Gross <agross@kernel.org>
---
 net/qrtr/ns.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Chris Lew Oct. 22, 2024, 4:27 a.m. UTC | #1 
On 10/18/2024 11:18 AM, Denis Kenzior wrote:
> The qrtr_ctrl_pkt structure is currently accessed without checking
> if the received payload is large enough to hold the structure's fields.
> Add a check to ensure the payload length is sufficient.
> 
> Signed-off-by: Denis Kenzior <denkenz@gmail.com>
> Reviewed-by: Marcel Holtmann <marcel@holtmann.org>
> Reviewed-by: Andy Gross <agross@kernel.org>
> ---
>   net/qrtr/ns.c | 3 +++
>   1 file changed, 3 insertions(+)
> 
> diff --git a/net/qrtr/ns.c b/net/qrtr/ns.c
> index 3de9350cbf30..6158e08c0252 100644
> --- a/net/qrtr/ns.c
> +++ b/net/qrtr/ns.c
> @@ -619,6 +619,9 @@ static void qrtr_ns_worker(struct work_struct *work)
>   			break;
>   		}
>   
> +		if ((size_t)msglen < sizeof(pkt))

sizeof(*pkt)?

> +			break;
> +
>   		pkt = recv_buf;
>   		cmd = le32_to_cpu(pkt->cmd);
>   		if (cmd < ARRAY_SIZE(qrtr_ctrl_pkt_strings) &&
Denis Kenzior Oct. 22, 2024, 2:23 p.m. UTC | #2 
Hi Chris,

>> +        if ((size_t)msglen < sizeof(pkt))
> 
> sizeof(*pkt)?
> 

Indeed.  Thank you for catching that, will fix in the next version.

Regards,
-Denis
diff mbox series

Patch

diff --git a/net/qrtr/ns.c b/net/qrtr/ns.c
index 3de9350cbf30..6158e08c0252 100644
--- a/net/qrtr/ns.c
+++ b/net/qrtr/ns.c
@@ -619,6 +619,9 @@  static void qrtr_ns_worker(struct work_struct *work)
 			break;
 		}
 
+		if ((size_t)msglen < sizeof(pkt))
+			break;
+
 		pkt = recv_buf;
 		cmd = le32_to_cpu(pkt->cmd);
 		if (cmd < ARRAY_SIZE(qrtr_ctrl_pkt_strings) &&