> As you wrote, > "join_cmd.addr_size = rdma_addr_size((struct sockaddr *) &cmd.addr);" > line ensure that join_cmd.addr_size can be 0 and various sizeof(struct > sockaddr_i*). It is enough to check that join_cmd.addr_size has enough > space to copy join_cmd.addr_size bytes. > > If you want to ensure that sizeof(cmd.addr) has right size, it is better to add > BUILD_BUG_ON(sizeof(cmd.args) > max3(sizeof(struct sockaddr_in), sizeof(struct sockaddr_in6), sizeof(struct sockaddr_ib))) I think you may be misunderstanding the bug. Userspace can pass in any family for cmd.addr, but if userspace passes AF_IB into this API, then the memcpy will overrun the buffer because sockaddr_ib is bigger than sockaddr_in6. (That is what syzkbot is reporting) Anyway, let me respin the bug to just check addr_size against min(sizeof(cmd.addr), sizeof(join_cmd.addr)) since I think that will look a little better. - R. -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
