From d97af30f615eea23ecfefd0e80b2f5f2f41afe55 Mon Sep 17 00:00:00 2001 From: Dave Watson Date: Mon, 26 Jun 2017 08:36:47 -0700 Subject: [PATCH] tcp: fix null ptr deref in getsockopt(..., TCP_ULP, ...) If icsk_ulp_ops is unset, it dereferences a null ptr. Add a null ptr check. BUG: KASAN: null-ptr-deref in copy_to_user include/linux/uaccess.h:168 [inline] BUG: KASAN: null-ptr-deref in do_tcp_getsockopt.isra.33+0x24f/0x1e30 net/ipv4/tcp.c:3057 Read of size 4 at addr 0000000000000020 by task syz-executor1/15452 Signed-off-by: Dave Watson Reported-by: "Levin, Alexander (Sasha Levin)" Signed-off-by: David S. Miller --- net/ipv4/tcp.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index 058f509ca98e..4c88d20d91d4 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -3062,6 +3062,11 @@ static int do_tcp_getsockopt(struct sock *sk, int level, if (get_user(len, optlen)) return -EFAULT; len = min_t(unsigned int, len, TCP_ULP_NAME_MAX); + if (!icsk->icsk_ulp_ops) { + if (put_user(0, optlen)) + return -EFAULT; + return 0; + } if (put_user(len, optlen)) return -EFAULT; if (copy_to_user(optval, icsk->icsk_ulp_ops->name, len)) -- 2.30.2