* [PATCH net-next] tcp: return sizeof tcp_dctcp_info in dctcp_get_info()
@ 2016-06-13 15:20 Neal Cardwell
2016-06-13 15:47 ` Daniel Borkmann
2016-06-15 6:46 ` David Miller
0 siblings, 2 replies; 3+ messages in thread
From: Neal Cardwell @ 2016-06-13 15:20 UTC (permalink / raw)
To: David Miller; +Cc: netdev, Neal Cardwell, Soheil Hassas Yeganeh, Eric Dumazet
Make sure that dctcp_get_info() returns only the size of the
info->dctcp struct that it zeroes out and fills in. Previously it had
been returning the size of the enclosing tcp_cc_info union,
sizeof(*info). There is no problem yet, but that union that may one
day be larger than struct tcp_dctcp_info, in which case the
TCP_CC_INFO code might accidentally copy uninitialized bytes from the
stack.
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Soheil Hassas Yeganeh <soheil@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
---
net/ipv4/tcp_dctcp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/tcp_dctcp.c b/net/ipv4/tcp_dctcp.c
index 7e538f7..10d728b 100644
--- a/net/ipv4/tcp_dctcp.c
+++ b/net/ipv4/tcp_dctcp.c
@@ -293,7 +293,7 @@ static size_t dctcp_get_info(struct sock *sk, u32 ext, int *attr,
*/
if (ext & (1 << (INET_DIAG_DCTCPINFO - 1)) ||
ext & (1 << (INET_DIAG_VEGASINFO - 1))) {
- memset(info, 0, sizeof(struct tcp_dctcp_info));
+ memset(&info->dctcp, 0, sizeof(info->dctcp));
if (inet_csk(sk)->icsk_ca_ops != &dctcp_reno) {
info->dctcp.dctcp_enabled = 1;
info->dctcp.dctcp_ce_state = (u16) ca->ce_state;
@@ -303,7 +303,7 @@ static size_t dctcp_get_info(struct sock *sk, u32 ext, int *attr,
}
*attr = INET_DIAG_DCTCPINFO;
- return sizeof(*info);
+ return sizeof(info->dctcp);
}
return 0;
}
--
2.8.0.rc3.226.g39d4020
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH net-next] tcp: return sizeof tcp_dctcp_info in dctcp_get_info()
2016-06-13 15:20 [PATCH net-next] tcp: return sizeof tcp_dctcp_info in dctcp_get_info() Neal Cardwell
@ 2016-06-13 15:47 ` Daniel Borkmann
2016-06-15 6:46 ` David Miller
1 sibling, 0 replies; 3+ messages in thread
From: Daniel Borkmann @ 2016-06-13 15:47 UTC (permalink / raw)
To: Neal Cardwell, David Miller; +Cc: netdev, Soheil Hassas Yeganeh, Eric Dumazet
On 06/13/2016 05:20 PM, Neal Cardwell wrote:
> Make sure that dctcp_get_info() returns only the size of the
> info->dctcp struct that it zeroes out and fills in. Previously it had
> been returning the size of the enclosing tcp_cc_info union,
> sizeof(*info). There is no problem yet, but that union that may one
> day be larger than struct tcp_dctcp_info, in which case the
> TCP_CC_INFO code might accidentally copy uninitialized bytes from the
> stack.
>
> Signed-off-by: Neal Cardwell <ncardwell@google.com>
> Signed-off-by: Soheil Hassas Yeganeh <soheil@google.com>
> Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH net-next] tcp: return sizeof tcp_dctcp_info in dctcp_get_info()
2016-06-13 15:20 [PATCH net-next] tcp: return sizeof tcp_dctcp_info in dctcp_get_info() Neal Cardwell
2016-06-13 15:47 ` Daniel Borkmann
@ 2016-06-15 6:46 ` David Miller
1 sibling, 0 replies; 3+ messages in thread
From: David Miller @ 2016-06-15 6:46 UTC (permalink / raw)
To: ncardwell; +Cc: netdev, soheil, edumazet
From: Neal Cardwell <ncardwell@google.com>
Date: Mon, 13 Jun 2016 11:20:35 -0400
> Make sure that dctcp_get_info() returns only the size of the
> info->dctcp struct that it zeroes out and fills in. Previously it had
> been returning the size of the enclosing tcp_cc_info union,
> sizeof(*info). There is no problem yet, but that union that may one
> day be larger than struct tcp_dctcp_info, in which case the
> TCP_CC_INFO code might accidentally copy uninitialized bytes from the
> stack.
>
> Signed-off-by: Neal Cardwell <ncardwell@google.com>
> Signed-off-by: Soheil Hassas Yeganeh <soheil@google.com>
> Signed-off-by: Eric Dumazet <edumazet@google.com>
Applied.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-06-15 6:46 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-06-13 15:20 [PATCH net-next] tcp: return sizeof tcp_dctcp_info in dctcp_get_info() Neal Cardwell
2016-06-13 15:47 ` Daniel Borkmann
2016-06-15 6:46 ` David Miller
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.