[PATCH v5 01/11] net: qrtr: ns: validate msglen before ctrl_pkt use
From: Mihai Moldovan
Date: Mon Aug 11 2025 - 21:46:07 EST
From: Denis Kenzior <denkenz@xxxxxxxxx>
The qrtr_ctrl_pkt structure is currently accessed without checking
if the received payload is large enough to hold the structure's fields.
Add a check to ensure the payload length is sufficient.
Signed-off-by: Denis Kenzior <denkenz@xxxxxxxxx>
Reviewed-by: Marcel Holtmann <marcel@xxxxxxxxxxxx>
Reviewed-by: Andy Gross <agross@xxxxxxxxxx>
Signed-off-by: Mihai Moldovan <ionic@xxxxxxxx>
Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from userspace")
---
v5:
- no changes
- Link to v4: https://msgid.link/456d8dff226c88657c79f1dbadf0dcaba8b905ae.1753720934.git.ionic@xxxxxxxx
v4:
- no changes
- Link to v3: https://msgid.link/a3bc13d1496404e96723a427086271107016bdd6.1753312999.git.ionic@xxxxxxxx
v3:
- add Fixes: tag
- rebase against current master
- Link to v2: https://msgid.link/866f309e9739d770dce7e8c648b562d37db1d8b5.1752947108.git.ionic@xxxxxxxx
v2:
- rebase against current master
- use correct size of packet structure as per review comment
- Link to v1: https://msgid.link/20241018181842.1368394-2-denkenz@xxxxxxxxx
---
net/qrtr/ns.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/qrtr/ns.c b/net/qrtr/ns.c
index 3de9350cbf30..2bcfe539dc3e 100644
--- a/net/qrtr/ns.c
+++ b/net/qrtr/ns.c
@@ -619,6 +619,9 @@ static void qrtr_ns_worker(struct work_struct *work)
break;
}
+ if ((size_t)msglen < sizeof(*pkt))
+ break;
+
pkt = recv_buf;
cmd = le32_to_cpu(pkt->cmd);
if (cmd < ARRAY_SIZE(qrtr_ctrl_pkt_strings) &&
--
2.50.0