summaryrefslogtreecommitdiff
path: root/net/mctp
diff options
context:
space:
mode:
authorEugene Syromiatnikov <esyr@redhat.com>2021-11-03 20:09:46 +0100
committerJakub Kicinski <kuba@kernel.org>2021-11-04 19:17:48 -0700
commite9ea574ec1c27e555e7f78cbbcd28af91889d529 (patch)
tree5841499503ff35c32733c743ef5f8ea89595a5ed /net/mctp
parent1e4b50f06d970d8da3474d2a0354450416710bda (diff)
downloadlwn-e9ea574ec1c27e555e7f78cbbcd28af91889d529.tar.gz
lwn-e9ea574ec1c27e555e7f78cbbcd28af91889d529.zip
mctp: handle the struct sockaddr_mctp_ext padding field
struct sockaddr_mctp_ext.__smctp_paddin0 has to be checked for being set to zero, otherwise it cannot be utilised in the future. Fixes: 99ce45d5e7dbde39 ("mctp: Implement extended addressing") Signed-off-by: Eugene Syromiatnikov <esyr@redhat.com> Acked-by: Jeremy Kerr <jk@codeconstruct.com.au> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'net/mctp')
-rw-r--r--net/mctp/af_mctp.c11
1 files changed, 10 insertions, 1 deletions
diff --git a/net/mctp/af_mctp.c b/net/mctp/af_mctp.c
index bc88159f8844..871cf6266125 100644
--- a/net/mctp/af_mctp.c
+++ b/net/mctp/af_mctp.c
@@ -39,6 +39,13 @@ static bool mctp_sockaddr_is_ok(const struct sockaddr_mctp *addr)
return !addr->__smctp_pad0 && !addr->__smctp_pad1;
}
+static bool mctp_sockaddr_ext_is_ok(const struct sockaddr_mctp_ext *addr)
+{
+ return !addr->__smctp_pad0[0] &&
+ !addr->__smctp_pad0[1] &&
+ !addr->__smctp_pad0[2];
+}
+
static int mctp_bind(struct socket *sock, struct sockaddr *addr, int addrlen)
{
struct sock *sk = sock->sk;
@@ -135,7 +142,8 @@ static int mctp_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
DECLARE_SOCKADDR(struct sockaddr_mctp_ext *,
extaddr, msg->msg_name);
- if (extaddr->smctp_halen > sizeof(cb->haddr)) {
+ if (!mctp_sockaddr_ext_is_ok(extaddr) ||
+ extaddr->smctp_halen > sizeof(cb->haddr)) {
rc = -EINVAL;
goto err_free;
}
@@ -224,6 +232,7 @@ static int mctp_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
msg->msg_namelen = sizeof(*ae);
ae->smctp_ifindex = cb->ifindex;
ae->smctp_halen = cb->halen;
+ memset(ae->__smctp_pad0, 0x0, sizeof(ae->__smctp_pad0));
memset(ae->smctp_haddr, 0x0, sizeof(ae->smctp_haddr));
memcpy(ae->smctp_haddr, cb->haddr, cb->halen);
}