Hi, On Tue, Aug 30, 2022 at 3:03 AM Haimin Zhang <tcs.kernel@xxxxxxxxx> wrote: > > There is uninit value bug in dgram_sendmsg function in > net/ieee802154/socket.c when the length of valid data pointed by the > msg->msg_name isn't verified. > > We should check the msg_namelen is not less than struct > sockaddr_ieee802154 when addr_type is SHORT before calling > ieee802154_addr_from_sa. So we define IEEE802154_MIN_NAMELEN. > And in function ieee802154_addr_from_sa, when > addr_type is LONG, we check msg_namelen is not less than > sizeof(struct sockaddr_ieee802154). Meanwhile we check in the > beginning of function dgram_sendmsg. > There exists also an IEEE802154_ADDR_NONE addr_type. We need to first check that space is there to evaluate the addr_type. If it's NONE, ignore hwaddr or short address. If it's SHORT or hwaddr check if they have space for it, if it's something completely different return -EINVAL. There are still missing bits and I would recommend introducing a helper function to do this "kind" of more complex check. This patch spreads different checks around by checking on IEEE802154_MIN_NAMELEN (which isn't correct, because NONE) and then requires another check by calling ieee802154_addr_from_sa() and checking the return code. - Alex
