tuntap: add sanity checks about msg_controllen in sendmsg

In patch [1], tun_msg_ctl was added to allow pass batched xdp buffers to tun_sendmsg. Although we donot use msg_controllen in this path, we should check msg_controllen to make sure the caller pass a valid msg_ctl. [1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fe8dd45bb7556246c6b76277b1ba4296c91c2505 Reported-by: Eric Dumazet <eric.dumazet@gmail.com> Suggested-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Harold Huang <baymaxhuang@gmail.com> Acked-by: Jason Wang <jasowang@redhat.com> Link: https://lore.kernel.org/r/20220303022441.383865-1-baymaxhuang@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
author: Harold Huang <baymaxhuang@gmail.com> 2022-03-03 10:24:40 +0800
committer: Jakub Kicinski <kuba@kernel.org> 2022-03-02 22:00:59 -0800
commit: 74a335a07a17d131b9263bfdbdcb5e40673ca9ca (patch)
tree: 0b6e1fe55e27bbca846fb3db4bad717e0bf699b9 /drivers/net/tap.c
parent: fa452e0a609a038e5ef9d2e042bb80e08e1af7af (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/net/tap.c b/drivers/net/tap.c
index 8e3a28ba6b28..ba2ef5437e16 100644
--- a/drivers/net/tap.c
+++ b/drivers/net/tap.c
@@ -1198,7 +1198,8 @@ static int tap_sendmsg(struct socket *sock, struct msghdr *m,
 	struct xdp_buff *xdp;
 	int i;
 
-	if (ctl && (ctl->type == TUN_MSG_PTR)) {
+	if (m->msg_controllen == sizeof(struct tun_msg_ctl) &&
+	    ctl && ctl->type == TUN_MSG_PTR) {
 		for (i = 0; i < ctl->num; i++) {
 			xdp = &((struct xdp_buff *)ctl->ptr)[i];
 			tap_get_user_xdp(q, xdp);
author	Harold Huang <baymaxhuang@gmail.com>	2022-03-03 10:24:40 +0800
committer	Jakub Kicinski <kuba@kernel.org>	2022-03-02 22:00:59 -0800
commit	74a335a07a17d131b9263bfdbdcb5e40673ca9ca (patch)
tree	0b6e1fe55e27bbca846fb3db4bad717e0bf699b9 /drivers/net/tap.c
parent	fa452e0a609a038e5ef9d2e042bb80e08e1af7af (diff)