--- /dev/null
+From dc633700f00f726e027846a318c5ffeb8deaaeda Mon Sep 17 00:00:00 2001
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+Date: Wed, 27 Jul 2022 17:33:12 +0800
+Subject: net/af_packet: check len when min_header_len equals to 0
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+commit dc633700f00f726e027846a318c5ffeb8deaaeda upstream.
+
+User can use AF_PACKET socket to send packets with the length of 0.
+When min_header_len equals to 0, packet_snd will call __dev_queue_xmit
+to send packets, and sock->type can be any type.
+
+Reported-by: syzbot+5ea725c25d06fb9114c4@syzkaller.appspotmail.com
+Fixes: fd1894224407 ("bpf: Don't redirect packets with invalid pkt_len")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2986,8 +2986,8 @@ static int packet_snd(struct socket *soc
+ if (err)
+ goto out_free;
+
+- if (sock->type == SOCK_RAW &&
+- !dev_validate_header(dev, skb->data, len)) {
++ if ((sock->type == SOCK_RAW &&
++ !dev_validate_header(dev, skb->data, len)) || !skb->len) {
+ err = -EINVAL;
+ goto out_free;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
