net/rds: Check address length before reading address family

syzbot is reporting uninitialized value at rds_connect() [1] and rds_bind() [2]. This is because syzbot is passing ulen == 0 whereas these functions expect that it is safe to access sockaddr->family field in order to determine minimal address length for validation. [1] https://syzkaller.appspot.com/bug?id=f4e61c010416c1e6f0fa3ffe247561b60a50ad71 [2] https://syzkaller.appspot.com/bug?id=a4bf9e41b7e055c3823fdcd83e8c58ca7270e38f Reported-by: syzbot <syzbot+0049bebbf3042dbd2e8f@syzkaller.appspotmail.com> Reported-by: syzbot <syzbot+915c9f99f3dbc4bd6cd1@syzkaller.appspotmail.com> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> 2019-04-12 19:51:52 +0900
committer: David S. Miller <davem@davemloft.net> 2019-04-12 10:25:03 -0700
commit: dd3ac9a684358b8c1d5c432ca8322aaf5e4f28ee (patch)
tree: d26646689cb2f5280c29e6d0545ee4be38375ab2 /net/rds/af_rds.c
parent: e3058450965972e67cc0e5492c08c4cdadafc134 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/net/rds/af_rds.c b/net/rds/af_rds.c
index d6cc97fbbbb0..2b969f99ef13 100644
--- a/net/rds/af_rds.c
+++ b/net/rds/af_rds.c
@@ -543,6 +543,9 @@ static int rds_connect(struct socket *sock, struct sockaddr *uaddr,
 	struct rds_sock *rs = rds_sk_to_rs(sk);
 	int ret = 0;
 
+	if (addr_len < offsetofend(struct sockaddr, sa_family))
+		return -EINVAL;
+
 	lock_sock(sk);
 
 	switch (uaddr->sa_family) {
author	Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>	2019-04-12 19:51:52 +0900
committer	David S. Miller <davem@davemloft.net>	2019-04-12 10:25:03 -0700
commit	dd3ac9a684358b8c1d5c432ca8322aaf5e4f28ee (patch)
tree	d26646689cb2f5280c29e6d0545ee4be38375ab2 /net/rds/af_rds.c
parent	e3058450965972e67cc0e5492c08c4cdadafc134 (diff)