From: Henry Martin <[email protected]>
vmci_transport_dgram_dequeue lack of buffer length validation before
accessing `vmci_datagram` header.
Trigger Path:
1. Attacker sends a datagram with length < sizeof(struct
vmci_datagram).
2. `skb_recv_datagram()` returns the malformed sk_buff (skb->len <
sizeof(struct vmci_datagram)).
3. Code casts skb->data to struct vmci_datagram *dg without verifying
skb->len.
4. Accessing `dg->payload_size` (Line: `payload_len =
dg->payload_size;`) reads out-of-bounds memory.
Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
Reported-by: TCS Robot <[email protected]>
Signed-off-by: Henry Martin <[email protected]>
---
net/vmw_vsock/vmci_transport.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
index 7eccd6708d66..0be605e19b2e 100644
--- a/net/vmw_vsock/vmci_transport.c
+++ b/net/vmw_vsock/vmci_transport.c
@@ -1749,6 +1749,11 @@ static int vmci_transport_dgram_dequeue(struct
vsock_sock *vsk,
if (!skb)
return err;
+ if (skb->len < sizeof(struct vmci_datagram)) {
+ err = -EINVAL;
+ goto out;
+ }
+
dg = (struct vmci_datagram *)skb->data;
if (!dg)
/* err is 0, meaning we read zero bytes. */
--
2.41.3
