On Wed, Mar 28, 2018 at 10:17:19AM -0700, Roland Dreier wrote: > > As you wrote, > > "join_cmd.addr_size = rdma_addr_size((struct sockaddr *) &cmd.addr);" > > line ensure that join_cmd.addr_size can be 0 and various sizeof(struct > > sockaddr_i*). It is enough to check that join_cmd.addr_size has enough > > space to copy join_cmd.addr_size bytes. > > > > If you want to ensure that sizeof(cmd.addr) has right size, it is better to add > > BUILD_BUG_ON(sizeof(cmd.args) > max3(sizeof(struct sockaddr_in), sizeof(struct sockaddr_in6), sizeof(struct sockaddr_ib))) > > I think you may be misunderstanding the bug. Userspace can pass in > any family for cmd.addr, but if userspace passes AF_IB into this API, > then the memcpy will overrun the buffer because sockaddr_ib is bigger > than sockaddr_in6. (That is what syzkbot is reporting) > > Anyway, let me respin the bug to just check addr_size against > min(sizeof(cmd.addr), sizeof(join_cmd.addr)) since I think that will > look a little better. Thanks for the explanation and for respinning. > > - R.
Attachment:
signature.asc
Description: PGP signature
