All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH net] ipv6: check sk sk_type and protocol early in ip_mroute_set/getsockopt
@ 2017-02-24  8:29 Xin Long
  2017-02-27  2:26 ` David Miller
  0 siblings, 1 reply; 2+ messages in thread
From: Xin Long @ 2017-02-24  8:29 UTC (permalink / raw)
  To: network dev; +Cc: davem, Eric Dumazet, hannes

Commit 5e1859fbcc3c ("ipv4: ipmr: various fixes and cleanups") fixed
the issue for ipv4 ipmr:

  ip_mroute_setsockopt() & ip_mroute_getsockopt() should not
  access/set raw_sk(sk)->ipmr_table before making sure the socket
  is a raw socket, and protocol is IGMP

The same fix should be done for ipv6 ipmr as well.

This patch can fix the panic caused by overwriting the same offset
as ipmr_table as in raw_sk(sk) when accessing other type's socket
by ip_mroute_setsockopt().

Signed-off-by: Xin Long <lucien.xin@gmail.com>
---
 net/ipv6/ip6mr.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
index babaf3e..6ba6c90 100644
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -1666,6 +1666,10 @@ int ip6_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, uns
 	struct net *net = sock_net(sk);
 	struct mr6_table *mrt;
 
+	if (sk->sk_type != SOCK_RAW ||
+	    inet_sk(sk)->inet_num != IPPROTO_ICMPV6)
+		return -EOPNOTSUPP;
+
 	mrt = ip6mr_get_table(net, raw6_sk(sk)->ip6mr_table ? : RT6_TABLE_DFLT);
 	if (!mrt)
 		return -ENOENT;
@@ -1677,9 +1681,6 @@ int ip6_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, uns
 
 	switch (optname) {
 	case MRT6_INIT:
-		if (sk->sk_type != SOCK_RAW ||
-		    inet_sk(sk)->inet_num != IPPROTO_ICMPV6)
-			return -EOPNOTSUPP;
 		if (optlen < sizeof(int))
 			return -EINVAL;
 
@@ -1815,6 +1816,10 @@ int ip6_mroute_getsockopt(struct sock *sk, int optname, char __user *optval,
 	struct net *net = sock_net(sk);
 	struct mr6_table *mrt;
 
+	if (sk->sk_type != SOCK_RAW ||
+	    inet_sk(sk)->inet_num != IPPROTO_ICMPV6)
+		return -EOPNOTSUPP;
+
 	mrt = ip6mr_get_table(net, raw6_sk(sk)->ip6mr_table ? : RT6_TABLE_DFLT);
 	if (!mrt)
 		return -ENOENT;
-- 
2.1.0

^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH net] ipv6: check sk sk_type and protocol early in ip_mroute_set/getsockopt
  2017-02-24  8:29 [PATCH net] ipv6: check sk sk_type and protocol early in ip_mroute_set/getsockopt Xin Long
@ 2017-02-27  2:26 ` David Miller
  0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2017-02-27  2:26 UTC (permalink / raw)
  To: lucien.xin; +Cc: netdev, edumazet, hannes

From: Xin Long <lucien.xin@gmail.com>
Date: Fri, 24 Feb 2017 16:29:06 +0800

> Commit 5e1859fbcc3c ("ipv4: ipmr: various fixes and cleanups") fixed
> the issue for ipv4 ipmr:
> 
>   ip_mroute_setsockopt() & ip_mroute_getsockopt() should not
>   access/set raw_sk(sk)->ipmr_table before making sure the socket
>   is a raw socket, and protocol is IGMP
> 
> The same fix should be done for ipv6 ipmr as well.
> 
> This patch can fix the panic caused by overwriting the same offset
> as ipmr_table as in raw_sk(sk) when accessing other type's socket
> by ip_mroute_setsockopt().
> 
> Signed-off-by: Xin Long <lucien.xin@gmail.com>

Applied and queued up for -stable, thanks.

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-02-27  2:32 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-02-24  8:29 [PATCH net] ipv6: check sk sk_type and protocol early in ip_mroute_set/getsockopt Xin Long
2017-02-27  2:26 ` David Miller

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.