1. Patchew
  2. linux
  3. [PATCH v2 00/10] QRTR Multi-endpoint support
  4. View patch

[PATCH v2 01/10] net: qrtr: ns: validate msglen before ctrl_pkt use

Mihai Moldovan posted 10 patches 2 months, 2 weeks ago
There is a newer version of this series
[PATCH v2 01/10] net: qrtr: ns: validate msglen before ctrl_pkt use
Posted by Mihai Moldovan 2 months, 2 weeks ago 
From: Denis Kenzior <denkenz@gmail.com>

The qrtr_ctrl_pkt structure is currently accessed without checking
if the received payload is large enough to hold the structure's fields.
Add a check to ensure the payload length is sufficient.

Signed-off-by: Denis Kenzior <denkenz@gmail.com>
Reviewed-by: Marcel Holtmann <marcel@holtmann.org>
Reviewed-by: Andy Gross <agross@kernel.org>
Signed-off-by: Mihai Moldovan <ionic@ionic.de>

---

v2:
  - rebase against current master
  - use correct size of packet structure as per review comment
---
 net/qrtr/ns.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/qrtr/ns.c b/net/qrtr/ns.c
index 3de9350cbf30..2bcfe539dc3e 100644
--- a/net/qrtr/ns.c
+++ b/net/qrtr/ns.c
@@ -619,6 +619,9 @@ static void qrtr_ns_worker(struct work_struct *work)
 			break;
 		}
 
+		if ((size_t)msglen < sizeof(*pkt))
+			break;
+
 		pkt = recv_buf;
 		cmd = le32_to_cpu(pkt->cmd);
 		if (cmd < ARRAY_SIZE(qrtr_ctrl_pkt_strings) &&
-- 
2.50.0
Re: [PATCH v2 01/10] net: qrtr: ns: validate msglen before ctrl_pkt use
Posted by Casey Connolly 2 months, 2 weeks ago 
Hi Mihai

On 19/07/2025 20:59, Mihai Moldovan wrote:
> From: Denis Kenzior <denkenz@gmail.com>
> 
> The qrtr_ctrl_pkt structure is currently accessed without checking
> if the received payload is large enough to hold the structure's fields.
> Add a check to ensure the payload length is sufficient.
> 
> Signed-off-by: Denis Kenzior <denkenz@gmail.com>
> Reviewed-by: Marcel Holtmann <marcel@holtmann.org>
> Reviewed-by: Andy Gross <agross@kernel.org>
> Signed-off-by: Mihai Moldovan <ionic@ionic.de>

I think this is missing a Fixes: tag?

Kind regards,

> 
> ---
> 
> v2:
>   - rebase against current master
>   - use correct size of packet structure as per review comment
> ---
>  net/qrtr/ns.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/net/qrtr/ns.c b/net/qrtr/ns.c
> index 3de9350cbf30..2bcfe539dc3e 100644
> --- a/net/qrtr/ns.c
> +++ b/net/qrtr/ns.c
> @@ -619,6 +619,9 @@ static void qrtr_ns_worker(struct work_struct *work)
>  			break;
>  		}
>  
> +		if ((size_t)msglen < sizeof(*pkt))
> +			break;
> +
>  		pkt = recv_buf;
>  		cmd = le32_to_cpu(pkt->cmd);
>  		if (cmd < ARRAY_SIZE(qrtr_ctrl_pkt_strings) &&

-- 
// Casey (she/her)
Re: [PATCH v2 01/10] net: qrtr: ns: validate msglen before ctrl_pkt use
Posted by Mihai Moldovan 2 months, 2 weeks ago 
* On 7/21/25 13:02, Casey Connolly wrote:
> On 19/07/2025 20:59, Mihai Moldovan wrote:
> 
> I think this is missing a Fixes: tag?

Thanks.

Will add Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from 
userspace") in v3.

I haven't seen any reports of this actually tripping anything up.



Mihai

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.