syzbot found an uninitialized targetless variable. The user-provided
data was only 28 bytes long, but initializing targetless requires at
least 44 bytes. This discrepancy ultimately led to the uninitialized
variable access issue reported by syzbot [1].

Adding a message length check to the arp update process eliminates
the uninitialized issue in [1].

[1]
BUG: KMSAN: uninit-value in lec_arp_update net/atm/lec.c:1845 [inline]
 lec_arp_update net/atm/lec.c:1845 [inline]
 lec_atm_send+0x2b02/0x55b0 net/atm/lec.c:385
 vcc_sendmsg+0x1052/0x1190 net/atm/common.c:650

Reported-by: syzbot+5dd615f890ddada54057@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 net/atm/lec.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/net/atm/lec.c b/net/atm/lec.c
index afb8d3eb2185..178132b2771a 100644
--- a/net/atm/lec.c
+++ b/net/atm/lec.c
@@ -382,6 +382,15 @@ static int lec_atm_send(struct atm_vcc *vcc, struct sk_buff *skb)
 			break;
 		fallthrough;
 	case l_arp_update:
+	{
+		int need_size = offsetofend(struct atmlec_msg,
+				content.normal.targetless_le_arp);
+		if (skb->len < need_size) {
+			pr_info("Input msg size too small, need %d got %u\n",
+				 need_size, skb->len);
+			dev_kfree_skb(skb);
+			return -EINVAL;
+		}
 		lec_arp_update(priv, mesg->content.normal.mac_addr,
 			       mesg->content.normal.atm_addr,
 			       mesg->content.normal.flag,
@@ -394,6 +403,7 @@ static int lec_atm_send(struct atm_vcc *vcc, struct sk_buff *skb)
 					    tmp, mesg->sizeoftlvs);
 		}
 		break;
+	}
 	case l_config:
 		priv->maximum_unknown_frame_count =
 		    mesg->content.config.maximum_unknown_frame_count;
-- 
2.43.0