diff options
author | Phil Blundell <philb@gnu.org> | 2010-11-24 11:49:19 -0800 |
---|---|---|
committer | Willy Tarreau <w@1wt.eu> | 2010-12-13 06:54:32 +0100 |
commit | 741f0b33d7823e1aaf19bc979bfac05ba216a0be (patch) | |
tree | 22f14b0eaca2c403a249de5abe9c8a55cd7ebba7 | |
parent | 6830831bea184af5b9cad25a1adc700eb13c7aed (diff) | |
download | linux-2.4-741f0b33d7823e1aaf19bc979bfac05ba216a0be.tar.gz |
econet: disallow NULL remote addr for sendmsg(), fixes CVE-2010-3849
Later parts of econet_sendmsg() rely on saddr != NULL, so return early
with EINVAL if NULL was passed otherwise an oops may occur.
Signed-off-by: Phil Blundell <philb@gnu.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from 2.6 commit fa0e846494792e722d817b9d3d625a4ef4896c96)
-rw-r--r-- | net/econet/af_econet.c | 20 |
1 files changed, 6 insertions, 14 deletions
diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c index 20c1523daa2f36..b32316a58d343e 100644 --- a/net/econet/af_econet.c +++ b/net/econet/af_econet.c @@ -265,19 +265,12 @@ static int econet_sendmsg(struct socket *sock, struct msghdr *msg, int len, * Get and verify the address. */ - if (saddr == NULL) { - addr.station = sk->protinfo.af_econet->station; - addr.net = sk->protinfo.af_econet->net; - port = sk->protinfo.af_econet->port; - cb = sk->protinfo.af_econet->cb; - } else { - if (msg->msg_namelen < sizeof(struct sockaddr_ec)) - return -EINVAL; - addr.station = saddr->addr.station; - addr.net = saddr->addr.net; - port = saddr->port; - cb = saddr->cb; - } + if (saddr == NULL || msg->msg_namelen < sizeof(struct sockaddr_ec)) + return -EINVAL; + addr.station = saddr->addr.station; + addr.net = saddr->addr.net; + port = saddr->port; + cb = saddr->cb; /* Look for a device with the right network number. */ dev = net2dev_map[addr.net]; @@ -311,7 +304,6 @@ static int econet_sendmsg(struct socket *sock, struct msghdr *msg, int len, eb = (struct ec_cb *)&skb->cb; - /* BUG: saddr may be NULL */ eb->cookie = saddr->cookie; eb->sec = *saddr; eb->sent = ec_tx_done; |