econet: disallow NULL remote addr for sendmsg(), fixes CVE-2010-3849

Later parts of econet_sendmsg() rely on saddr != NULL, so return early
with EINVAL if NULL was passed otherwise an oops may occur.

Signed-off-by: Phil Blundell <philb@gnu.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Phil Blundell 2010-11-24 11:49:19 -08:00 коммит произвёл David S. Miller
Родитель c39508d6f1
Коммит fa0e846494
1 изменённых файлов: 8 добавлений и 18 удалений

Просмотреть файл

@ -297,23 +297,14 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
mutex_lock(&econet_mutex);
if (saddr == NULL) {
struct econet_sock *eo = ec_sk(sk);
addr.station = eo->station;
addr.net = eo->net;
port = eo->port;
cb = eo->cb;
} else {
if (msg->msg_namelen < sizeof(struct sockaddr_ec)) {
mutex_unlock(&econet_mutex);
return -EINVAL;
}
addr.station = saddr->addr.station;
addr.net = saddr->addr.net;
port = saddr->port;
cb = saddr->cb;
}
if (saddr == NULL || msg->msg_namelen < sizeof(struct sockaddr_ec)) {
mutex_unlock(&econet_mutex);
return -EINVAL;
}
addr.station = saddr->addr.station;
addr.net = saddr->addr.net;
port = saddr->port;
cb = saddr->cb;
/* Look for a device with the right network number. */
dev = net2dev_map[addr.net];
@ -351,7 +342,6 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
eb = (struct ec_cb *)&skb->cb;
/* BUG: saddr may be NULL */
eb->cookie = saddr->cookie;
eb->sec = *saddr;
eb->sent = ec_tx_done;