packet: validate address length

[ Upstream commit 99137b7888f4058087895d035d81c6b2d31015c5 ]

Packet sockets with SOCK_DGRAM may pass an address for use in
dev_hard_header. Ensure that it is of sufficient length.

Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 88d5b2645bb06fe08633dbcb545b815f1fc542f7..e63d207047ce8f1ad5ebb36001076fe9cb87d036 100644 (file)
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2665,6 +2665,8 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
                proto   = saddr->sll_protocol;
                addr    = saddr->sll_addr;
                dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex);
+               if (addr && dev && saddr->sll_halen < dev->addr_len)
+                       goto out;
        }
 
        err = -ENXIO;
@@ -2863,6 +2865,8 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
                proto   = saddr->sll_protocol;
                addr    = saddr->sll_addr;
                dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex);
+               if (addr && dev && saddr->sll_halen < dev->addr_len)
+                       goto out;
        }
 
        err = -ENXIO;