vhost/vsock: check length in rx header

Message ID 20230104200642.4071622-1-bobby.eshleman@bytedance.com
State New
Headers
Series vhost/vsock: check length in rx header |

Commit Message

Bobby Eshleman Jan. 4, 2023, 8:06 p.m. UTC
  Check that the rx packet length indicated by the header does not exceed
the iov length.

Fixes: b68396fad17f ("virtio/vsock: replace virtio_vsock_pkt with sk_buff")
Reported-by: syzbot+30b72abaa17c07fe39dd@syzkaller.appspotmail.com
Signed-off-by: Bobby Eshleman <bobby.eshleman@bytedance.com>
---
 drivers/vhost/vsock.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
  

Patch

diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c
index 982ca479c659..84dec9ac62c1 100644
--- a/drivers/vhost/vsock.c
+++ b/drivers/vhost/vsock.c
@@ -365,8 +365,9 @@  vhost_vsock_alloc_skb(struct vhost_virtqueue *vq,
 	if (!payload_len)
 		return skb;
 
-	/* The pkt is too big */
-	if (payload_len > VIRTIO_VSOCK_MAX_PKT_BUF_SIZE) {
+	/* The pkt is too big or the length in the header is invalid */
+	if (payload_len > VIRTIO_VSOCK_MAX_PKT_BUF_SIZE ||
+	    payload_len > len) {
 		kfree_skb(skb);
 		return NULL;
 	}