diff options
| author |   Pavel Skripkin <paskripkin@gmail.com> | 2021-06-14 15:06:50 +0300 |
|---|---|---|
| committer |   David S. Miller <davem@davemloft.net> | 2021-06-14 13:01:26 -0700 |
| commit | ad9d24c9429e2159d1e279dc3a83191ccb4daf1d (patch) | |
| tree | b07157d1f0f79e572fd9a11bc7703db3a3eb2553 /net/bluetooth/smp.c | |
| parent | ipv4: Fix device used for dst_alloc with local routes (diff) | |
| download | linux-dev-ad9d24c9429e2159d1e279dc3a83191ccb4daf1d.tar.xz linux-dev-ad9d24c9429e2159d1e279dc3a83191ccb4daf1d.zip | |
net: qrtr: fix OOB Read in qrtr_endpoint_post
Syzbot reported slab-out-of-bounds Read in
qrtr_endpoint_post. The problem was in wrong
_size_ type:
if (len != ALIGN(size, 4) + hdrlen)
goto err;
If size from qrtr_hdr is 4294967293 (0xfffffffd), the result of
ALIGN(size, 4) will be 0. In case of len == hdrlen and size == 4294967293
in header this check won't fail and
skb_put_data(skb, data + hdrlen, size);
will read out of bound from data, which is hdrlen allocated block.
Fixes: 194ccc88297a ("net: qrtr: Support decoding incoming v2 packets")
Reported-and-tested-by: syzbot+1917d778024161609247@syzkaller.appspotmail.com
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/bluetooth/smp.c')
0 files changed, 0 insertions, 0 deletions