Re: [PATCH v2 01/10] net: qrtr: ns: validate msglen before ctrl_pkt use
From: Casey Connolly
Date: Mon Jul 21 2025 - 07:02:59 EST
Hi Mihai
On 19/07/2025 20:59, Mihai Moldovan wrote:
> From: Denis Kenzior <denkenz@xxxxxxxxx>
>
> The qrtr_ctrl_pkt structure is currently accessed without checking
> if the received payload is large enough to hold the structure's fields.
> Add a check to ensure the payload length is sufficient.
>
> Signed-off-by: Denis Kenzior <denkenz@xxxxxxxxx>
> Reviewed-by: Marcel Holtmann <marcel@xxxxxxxxxxxx>
> Reviewed-by: Andy Gross <agross@xxxxxxxxxx>
> Signed-off-by: Mihai Moldovan <ionic@xxxxxxxx>
I think this is missing a Fixes: tag?
Kind regards,
>
> ---
>
> v2:
> - rebase against current master
> - use correct size of packet structure as per review comment
> ---
> net/qrtr/ns.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/net/qrtr/ns.c b/net/qrtr/ns.c
> index 3de9350cbf30..2bcfe539dc3e 100644
> --- a/net/qrtr/ns.c
> +++ b/net/qrtr/ns.c
> @@ -619,6 +619,9 @@ static void qrtr_ns_worker(struct work_struct *work)
> break;
> }
>
> + if ((size_t)msglen < sizeof(*pkt))
> + break;
> +
> pkt = recv_buf;
> cmd = le32_to_cpu(pkt->cmd);
> if (cmd < ARRAY_SIZE(qrtr_ctrl_pkt_strings) &&
--
// Casey (she/her)