diff options
| author | Louis Fabien <fabienx.louis@intel.com> | 2016-11-17 14:44:44 +0100 |
|---|---|---|
| committer | jenkins_ndg <jenkins_ndg@intel.com> | 2016-11-28 10:34:27 +0000 |
| commit | d795a4318d9f748eed0d199963f77c918ffe9646 (patch) | |
| tree | 8f3789e8ba63c70145034a54e60dd30d1f421b5d | |
| parent | 051f93fa8ac16ed657ad6d847068e49727a20cc5 (diff) | |
| download | x86-d795a4318d9f748eed0d199963f77c918ffe9646.tar.gz | |
net: add additional validation of len variable
There is no validation of the len variable passed to the ping_common_sendmsg
function to check if it is less than icmph_len leading to a potential overflow.
The fix is designed to add additional validation to prevent the potential overflow.
It fixes CVE-2016-8399.
Bug: 31349935
Change-Id: I97d893a2e207bb614ca6632c147d7af81f701a8c
Tracked-On: https://jira01.devtools.intel.com/browse/AW-2810
Signed-off-by: Louis Fabien <fabienx.louis@intel.com>
Reviewed-on: https://android.intel.com/552862
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
Tested-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
Reviewed-by: jenkins_ndg <jenkins_ndg@intel.com>
Reviewed-by: Maalem, Saadi <saadi.maalem@intel.com>
| -rw-r--r-- | net/ipv4/ping.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c index e9d5fe962a52..0d5391d478e3 100644 --- a/net/ipv4/ping.c +++ b/net/ipv4/ping.c @@ -651,7 +651,7 @@ int ping_common_sendmsg(int family, struct msghdr *msg, size_t len, void *user_icmph, size_t icmph_len) { u8 type, code; - if (len > 0xFFFF) + if (len > 0xFFFF || len < icmph_len) return -EMSGSIZE; /* |