diff options
author | Ting-Yu Wang <anivia@google.com> | 2020-01-08 16:29:12 -0800 |
---|---|---|
committer | gVisor bot <gvisor-bot@google.com> | 2020-01-08 16:32:34 -0800 |
commit | b3ae8a62cfdf13821d35467d4150ed983ac556f1 (patch) | |
tree | 778c28cee4085839d1a909d1582e31296fc03b98 /pkg | |
parent | 1c2420146777de5b5727f69331b50be1b57a3351 (diff) |
Fix slice bounds out of range panic in parsing socket control message.
Panic found by syzakller.
PiperOrigin-RevId: 288799046
Diffstat (limited to 'pkg')
-rw-r--r-- | pkg/sentry/socket/control/control.go | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/pkg/sentry/socket/control/control.go b/pkg/sentry/socket/control/control.go index af1a4e95f..4301b697c 100644 --- a/pkg/sentry/socket/control/control.go +++ b/pkg/sentry/socket/control/control.go @@ -471,6 +471,9 @@ func Parse(t *kernel.Task, socketOrEndpoint interface{}, buf []byte) (socket.Con case linux.SOL_IP: switch h.Type { case linux.IP_TOS: + if length < linux.SizeOfControlMessageTOS { + return socket.ControlMessages{}, syserror.EINVAL + } cmsgs.IP.HasTOS = true binary.Unmarshal(buf[i:i+linux.SizeOfControlMessageTOS], usermem.ByteOrder, &cmsgs.IP.TOS) i += AlignUp(length, width) @@ -481,6 +484,9 @@ func Parse(t *kernel.Task, socketOrEndpoint interface{}, buf []byte) (socket.Con case linux.SOL_IPV6: switch h.Type { case linux.IPV6_TCLASS: + if length < linux.SizeOfControlMessageTClass { + return socket.ControlMessages{}, syserror.EINVAL + } cmsgs.IP.HasTClass = true binary.Unmarshal(buf[i:i+linux.SizeOfControlMessageTClass], usermem.ByteOrder, &cmsgs.IP.TClass) i += AlignUp(length, width) |