From 530a938a6277d0dd7ae6fcfa4d5ba74ecdd72f17 Mon Sep 17 00:00:00 2001
From: Thomas Schoebel-Theuer <mars@box>
Date: Sat, 7 Nov 2020 07:57:22 +0100
Subject: [PATCH] net: safeguard recv of bad string size

---
 kernel/mars_net.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/kernel/mars_net.c b/kernel/mars_net.c
index 68fefa28..19065605 100644
--- a/kernel/mars_net.c
+++ b/kernel/mars_net.c
@@ -984,11 +984,20 @@ int _desc_recv_item(struct mars_socket *msock, void *data, const struct mars_des
 		status = mars_recv_raw(msock, &len, sizeof(len), sizeof(len));
 		if (unlikely(status < 0))
 			goto done;
+		if (unlikely(len < 0 || len > KMALLOC_MAX_SIZE)) {
+			MARS_ERR("#%d bad string alloc size %d\n",
+				 msock->s_debug_nr, len);
+			status = -EOVERFLOW;
+			goto done;
+		}
 
 		if (len > 0 && item) {
 			char *str = _brick_string_alloc(len, line);
+
 			if (unlikely(!str)) {
-				MARS_ERR("#%d string alloc error\n", msock->s_debug_nr);
+				MARS_ERR("#%d string alloc error\n",
+					 msock->s_debug_nr);
+				status = -ENOMEM;
 				goto done;
 			}
 			*(void**)item = str;