Thanks to all. I have sent patch v2 to fix this. On Mon, Aug 29, 2022 at 5:08 PM Stefan Schmidt <stefan@xxxxxxxxxxxxxxxxxx> wrote: > > > Hello Alex. > > On 23.08.22 14:22, Alexander Aring wrote: > > Hi, > > > > On Tue, Aug 23, 2022 at 5:42 AM Stefan Schmidt > > <stefan@xxxxxxxxxxxxxxxxxx> wrote: > >> > >> Hello. > >> > >> On 22.08.22 09:19, Haimin Zhang wrote: > >>> There is uninit value bug in dgram_sendmsg function in > >>> net/ieee802154/socket.c when the length of valid data pointed by the > >>> msg->msg_name isn't verified. > >>> > >>> This length is specified by msg->msg_namelen. Function > >>> ieee802154_addr_from_sa is called by dgram_sendmsg, which use > >>> msg->msg_name as struct sockaddr_ieee802154* and read it, that will > >>> eventually lead to uninit value read. So we should check the length of > >>> msg->msg_name is not less than sizeof(struct sockaddr_ieee802154) > >>> before entering the ieee802154_addr_from_sa. > >>> > >>> Signed-off-by: Haimin Zhang <tcs_kernel@xxxxxxxxxxx> > >> > >> > >> This patch has been applied to the wpan tree and will be > >> part of the next pull request to net. Thanks! > > > > For me this patch is buggy or at least it is questionable how to deal > > with the size of ieee802154_addr_sa here. > > You are right. I completely missed this. Thanks for spotting! > > > There should be a helper to calculate the size which depends on the > > addr_type field. It is not required to send the last 6 bytes if > > addr_type is IEEE802154_ADDR_SHORT. > > Nitpick is that we should check in the beginning of that function. > > Haimin, in ieee802154 we could have two different sizes for > ieee802154_addr_sa depending on the addr_type. We have short and > extended addresses. > > Could you please rework this patch to take this into account as Alex > suggested? > > I reverted your original patch from my tree. > > regards > Stefan Schmidt
