Validate LinuxKM I/O lengths

Reject negative lengths and normalize to size_t before calling kernel_sendmsg/kernel_recvmsg so the kernel transport can’t be tricked into huge or wrapped iov_len values.
This commit is contained in:
Andrew Hutchings
2025-10-21 14:36:06 +01:00
parent 259670055a
commit 90e0857d2d
+26 -4
View File
@@ -1153,20 +1153,42 @@ int EmbedGenerateCookie(WOLFSSL* ssl, byte *buf, int sz, void *ctx)
static int linuxkm_send(struct socket *socket, void *buf, int size,
unsigned int flags)
{
size_t len;
int ret;
struct kvec vec = { .iov_base = buf, .iov_len = size };
struct kvec vec;
struct msghdr msg = { .msg_flags = flags };
ret = kernel_sendmsg(socket, &msg, &vec, 1, size);
if (size < 0)
return -EINVAL;
if (size == 0)
return 0;
len = (size_t)size;
vec.iov_base = buf;
vec.iov_len = len;
ret = kernel_sendmsg(socket, &msg, &vec, 1, len);
return ret;
}
static int linuxkm_recv(struct socket *socket, void *buf, int size,
unsigned int flags)
{
size_t len;
int ret;
struct kvec vec = { .iov_base = buf, .iov_len = size };
struct kvec vec;
struct msghdr msg = { .msg_flags = flags };
ret = kernel_recvmsg(socket, &msg, &vec, 1, size, msg.msg_flags);
if (size < 0)
return -EINVAL;
if (size == 0)
return 0;
len = (size_t)size;
vec.iov_base = buf;
vec.iov_len = len;
ret = kernel_recvmsg(socket, &msg, &vec, 1, len, msg.msg_flags);
return ret;
}
#endif /* WOLFSSL_LINUXKM */