From 90e0857d2d8231868ea5cb5f7bba598da5b09761 Mon Sep 17 00:00:00 2001 From: Andrew Hutchings Date: Tue, 21 Oct 2025 14:36:06 +0100 Subject: [PATCH] Validate LinuxKM I/O lengths MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reject negative lengths and normalize to size_t before calling kernel_sendmsg/kernel_recvmsg so the kernel transport can’t be tricked into huge or wrapped iov_len values. --- src/wolfio.c | 30 ++++++++++++++++++++++++++---- 1 file changed, 26 insertions(+), 4 deletions(-) diff --git a/src/wolfio.c b/src/wolfio.c index 42b02f9e52..e385d4ac97 100644 --- a/src/wolfio.c +++ b/src/wolfio.c @@ -1153,20 +1153,42 @@ int EmbedGenerateCookie(WOLFSSL* ssl, byte *buf, int sz, void *ctx) static int linuxkm_send(struct socket *socket, void *buf, int size, unsigned int flags) { + size_t len; int ret; - struct kvec vec = { .iov_base = buf, .iov_len = size }; + struct kvec vec; struct msghdr msg = { .msg_flags = flags }; - ret = kernel_sendmsg(socket, &msg, &vec, 1, size); + + if (size < 0) + return -EINVAL; + if (size == 0) + return 0; + + len = (size_t)size; + vec.iov_base = buf; + vec.iov_len = len; + + ret = kernel_sendmsg(socket, &msg, &vec, 1, len); return ret; } static int linuxkm_recv(struct socket *socket, void *buf, int size, unsigned int flags) { + size_t len; int ret; - struct kvec vec = { .iov_base = buf, .iov_len = size }; + struct kvec vec; struct msghdr msg = { .msg_flags = flags }; - ret = kernel_recvmsg(socket, &msg, &vec, 1, size, msg.msg_flags); + + if (size < 0) + return -EINVAL; + if (size == 0) + return 0; + + len = (size_t)size; + vec.iov_base = buf; + vec.iov_len = len; + + ret = kernel_recvmsg(socket, &msg, &vec, 1, len, msg.msg_flags); return ret; } #endif /* WOLFSSL_LINUXKM */