diff options
author | Dave Watson <davejwatson@fb.com> | 2017-06-26 08:36:47 -0700 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2017-06-27 15:39:11 -0400 |
commit | d97af30f615eea23ecfefd0e80b2f5f2f41afe55 (patch) | |
tree | 1f50a7a904e2e5a42cdc548763605151f3557b0c | |
parent | 019b13ae85260cfab9d7ccb6ca58f094d18a24fd (diff) |
tcp: fix null ptr deref in getsockopt(..., TCP_ULP, ...)
If icsk_ulp_ops is unset, it dereferences a null ptr.
Add a null ptr check.
BUG: KASAN: null-ptr-deref in copy_to_user include/linux/uaccess.h:168 [inline]
BUG: KASAN: null-ptr-deref in do_tcp_getsockopt.isra.33+0x24f/0x1e30 net/ipv4/tcp.c:3057
Read of size 4 at addr 0000000000000020 by task syz-executor1/15452
Signed-off-by: Dave Watson <davejwatson@fb.com>
Reported-by: "Levin, Alexander (Sasha Levin)" <alexander.levin@verizon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/ipv4/tcp.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index 058f509ca98e..4c88d20d91d4 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -3062,6 +3062,11 @@ static int do_tcp_getsockopt(struct sock *sk, int level, if (get_user(len, optlen)) return -EFAULT; len = min_t(unsigned int, len, TCP_ULP_NAME_MAX); + if (!icsk->icsk_ulp_ops) { + if (put_user(0, optlen)) + return -EFAULT; + return 0; + } if (put_user(len, optlen)) return -EFAULT; if (copy_to_user(optval, icsk->icsk_ulp_ops->name, len)) |