From: Henry Martin <bsdhenryma@tencent.com>

vmci_transport_dgram_dequeue lack of buffer length validation before
accessing `vmci_datagram` header.

Trigger Path:
1. Attacker sends a datagram with length < sizeof(struct
   vmci_datagram).
2. `skb_recv_datagram()` returns the malformed sk_buff (skb->len <
   sizeof(struct vmci_datagram)).
3. Code casts skb->data to struct vmci_datagram *dg without verifying
   skb->len.
4. Accessing `dg->payload_size` (Line: `payload_len =
   dg->payload_size;`) reads out-of-bounds memory.

Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
Reported-by: TCS Robot <tcs_robot@tencent.com>
Signed-off-by: Henry Martin <bsdhenryma@tencent.com>
---
 net/vmw_vsock/vmci_transport.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
index 7eccd6708d66..0be605e19b2e 100644
--- a/net/vmw_vsock/vmci_transport.c
+++ b/net/vmw_vsock/vmci_transport.c
@@ -1749,6 +1749,11 @@ static int vmci_transport_dgram_dequeue(struct vsock_sock *vsk,
 	if (!skb)
 		return err;
 
+	if (skb->len < sizeof(struct vmci_datagram)) {
+		err = -EINVAL;
+		goto out;
+	}
+
 	dg = (struct vmci_datagram *)skb->data;
 	if (!dg)
 		/* err is 0, meaning we read zero bytes. */
-- 
2.41.3