1 From fa0e846494792e722d817b9d3d625a4ef4896c96 Mon Sep 17 00:00:00 2001
2 From: Phil Blundell <philb@gnu.org>
3 Date: Wed, 24 Nov 2010 11:49:19 -0800
4 Subject: econet: disallow NULL remote addr for sendmsg(), fixes CVE-2010-3849
6 From: Phil Blundell <philb@gnu.org>
8 commit fa0e846494792e722d817b9d3d625a4ef4896c96 upstream.
10 Later parts of econet_sendmsg() rely on saddr != NULL, so return early
11 with EINVAL if NULL was passed otherwise an oops may occur.
13 Signed-off-by: Phil Blundell <philb@gnu.org>
14 Signed-off-by: David S. Miller <davem@davemloft.net>
15 Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 net/econet/af_econet.c | 26 ++++++++------------------
19 1 file changed, 8 insertions(+), 18 deletions(-)
21 --- a/net/econet/af_econet.c
22 +++ b/net/econet/af_econet.c
23 @@ -297,23 +297,14 @@ static int econet_sendmsg(struct kiocb *
25 mutex_lock(&econet_mutex);
27 - if (saddr == NULL) {
28 - struct econet_sock *eo = ec_sk(sk);
30 - addr.station = eo->station;
35 - if (msg->msg_namelen < sizeof(struct sockaddr_ec)) {
36 - mutex_unlock(&econet_mutex);
39 - addr.station = saddr->addr.station;
40 - addr.net = saddr->addr.net;
44 + if (saddr == NULL || msg->msg_namelen < sizeof(struct sockaddr_ec)) {
45 + mutex_unlock(&econet_mutex);
48 + addr.station = saddr->addr.station;
49 + addr.net = saddr->addr.net;
53 /* Look for a device with the right network number. */
54 dev = net2dev_map[addr.net];
55 @@ -351,7 +342,6 @@ static int econet_sendmsg(struct kiocb *
57 eb = (struct ec_cb *)&skb->cb;
59 - /* BUG: saddr may be NULL */
60 eb->cookie = saddr->cookie;
62 eb->sent = ec_tx_done;