On 10/18/2024 11:18 AM, Denis Kenzior wrote:
The qrtr_ctrl_pkt structure is currently accessed without checking
if the received payload is large enough to hold the structure's fields.
Add a check to ensure the payload length is sufficient.
Signed-off-by: Denis Kenzior <denkenz@xxxxxxxxx>
Reviewed-by: Marcel Holtmann <marcel@xxxxxxxxxxxx>
Reviewed-by: Andy Gross <agross@xxxxxxxxxx>
---
net/qrtr/ns.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/qrtr/ns.c b/net/qrtr/ns.c
index 3de9350cbf30..6158e08c0252 100644
--- a/net/qrtr/ns.c
+++ b/net/qrtr/ns.c
@@ -619,6 +619,9 @@ static void qrtr_ns_worker(struct work_struct *work)
break;
}
+ if ((size_t)msglen < sizeof(pkt))
sizeof(*pkt)?
+ break;
+
pkt = recv_buf;
cmd = le32_to_cpu(pkt->cmd);
if (cmd < ARRAY_SIZE(qrtr_ctrl_pkt_strings) &&
