From: Dan Carpenter <dan.carpenter@xxxxxxxxxx> commit 8ff41cc21714704ef0158a546c3c4d07fae2c952 upstream. This code assumes that the user passed in enough data for a qrtr_hdr_v1 or qrtr_hdr_v2 struct, but it's not necessarily true. If the buffer is too small then it will read beyond the end. Reported-by: Manivannan Sadhasivam <manivannan.sadhasivam@xxxxxxxxxx> Reported-by: syzbot+b8fe393f999a291a9ea6@xxxxxxxxxxxxxxxxxxxxxxxxx Fixes: 194ccc88297a ("net: qrtr: Support decoding incoming v2 packets") Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- net/qrtr/qrtr.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) --- a/net/qrtr/qrtr.c +++ b/net/qrtr/qrtr.c @@ -259,7 +259,7 @@ int qrtr_endpoint_post(struct qrtr_endpo unsigned int ver; size_t hdrlen; - if (len & 3) + if (len == 0 || len & 3) return -EINVAL; skb = netdev_alloc_skb(NULL, len); @@ -273,6 +273,8 @@ int qrtr_endpoint_post(struct qrtr_endpo switch (ver) { case QRTR_PROTO_VER_1: + if (len < sizeof(*v1)) + goto err; v1 = data; hdrlen = sizeof(*v1); @@ -286,6 +288,8 @@ int qrtr_endpoint_post(struct qrtr_endpo size = le32_to_cpu(v1->size); break; case QRTR_PROTO_VER_2: + if (len < sizeof(*v2)) + goto err; v2 = data; hdrlen = sizeof(*v2) + v2->optlen;