mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-10 21:10:49 +02:00
Validate LinuxKM I/O lengths
Reject negative lengths and normalize to size_t before calling kernel_sendmsg/kernel_recvmsg so the kernel transport can’t be tricked into huge or wrapped iov_len values.
This commit is contained in:
+26
-4
@@ -1153,20 +1153,42 @@ int EmbedGenerateCookie(WOLFSSL* ssl, byte *buf, int sz, void *ctx)
|
||||
static int linuxkm_send(struct socket *socket, void *buf, int size,
|
||||
unsigned int flags)
|
||||
{
|
||||
size_t len;
|
||||
int ret;
|
||||
struct kvec vec = { .iov_base = buf, .iov_len = size };
|
||||
struct kvec vec;
|
||||
struct msghdr msg = { .msg_flags = flags };
|
||||
ret = kernel_sendmsg(socket, &msg, &vec, 1, size);
|
||||
|
||||
if (size < 0)
|
||||
return -EINVAL;
|
||||
if (size == 0)
|
||||
return 0;
|
||||
|
||||
len = (size_t)size;
|
||||
vec.iov_base = buf;
|
||||
vec.iov_len = len;
|
||||
|
||||
ret = kernel_sendmsg(socket, &msg, &vec, 1, len);
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int linuxkm_recv(struct socket *socket, void *buf, int size,
|
||||
unsigned int flags)
|
||||
{
|
||||
size_t len;
|
||||
int ret;
|
||||
struct kvec vec = { .iov_base = buf, .iov_len = size };
|
||||
struct kvec vec;
|
||||
struct msghdr msg = { .msg_flags = flags };
|
||||
ret = kernel_recvmsg(socket, &msg, &vec, 1, size, msg.msg_flags);
|
||||
|
||||
if (size < 0)
|
||||
return -EINVAL;
|
||||
if (size == 0)
|
||||
return 0;
|
||||
|
||||
len = (size_t)size;
|
||||
vec.iov_base = buf;
|
||||
vec.iov_len = len;
|
||||
|
||||
ret = kernel_recvmsg(socket, &msg, &vec, 1, len, msg.msg_flags);
|
||||
return ret;
|
||||
}
|
||||
#endif /* WOLFSSL_LINUXKM */
|
||||
|
||||
Reference in New Issue
Block a user