AX.25: Prevent out-of-bounds read in ax25_sendmsg()

peilin-ye · davem330 · commit 8885bb0621f0 · 2020-07-22T18:06:49.000-07:00
Checks on `addr_len` and `usax-&gt;sax25_ndigis` are insufficient.
ax25_sendmsg() can go out of bounds when `usax-&gt;sax25_ndigis` equals to 7
or 8. Fix it.

It is safe to remove `usax-&gt;sax25_ndigis &gt; AX25_MAX_DIGIS`, since
`addr_len` is guaranteed to be less than or equal to
`sizeof(struct full_sockaddr_ax25)`

Signed-off-by: Peilin Ye &lt;yepeilin.cs@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
@@ -1509,7 +1509,8 @@ static int ax25_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
 			struct full_sockaddr_ax25 *fsa = (struct full_sockaddr_ax25 *)usax;
 
 			/* Valid number of digipeaters ? */
-			if (usax->sax25_ndigis < 1 || usax->sax25_ndigis > AX25_MAX_DIGIS) {
+			if (usax->sax25_ndigis < 1 || addr_len < sizeof(struct sockaddr_ax25) +
+			    sizeof(ax25_address) * usax->sax25_ndigis) {
 				err = -EINVAL;
 				goto out;
 			}

Original file line number	Diff line number	Diff line change
`@@ -1509,7 +1509,8 @@ static int ax25_sendmsg(struct socket sock, struct msghdr msg, size_t len)`
`1509`	`1509`	`struct full_sockaddr_ax25 fsa = (struct full_sockaddr_ax25 )usax;`
`1510`	`1510`
`1511`	`1511`	`/* Valid number of digipeaters ? */`
`1512`		`- if (usax->sax25_ndigis < 1 \|\| usax->sax25_ndigis > AX25_MAX_DIGIS) {`
	`1512`	`+ if (usax->sax25_ndigis < 1 \|\| addr_len < sizeof(struct sockaddr_ax25) +`
	`1513`	`+ sizeof(ax25_address) * usax->sax25_ndigis) {`
`1513`	`1514`	`err = -EINVAL;`
`1514`	`1515`	`goto out;`
`1515`	`1516`	`}`