* [PATCH] Tools: hv: verify origin of netlink connector message
@ 2012-05-31 14:40 Olaf Hering
2012-06-01 19:26 ` KY Srinivasan
0 siblings, 1 reply; 2+ messages in thread
From: Olaf Hering @ 2012-05-31 14:40 UTC (permalink / raw)
To: K. Y. Srinivasan, Greg Kroah-Hartman; +Cc: linux-kernel
The SuSE security team suggested to use recvfrom instead of recv to be
certain that the connector message is originated from kernel.
Signed-off-by: Olaf Hering <olaf@aepfle.de>
---
tools/hv/hv_kvp_daemon.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
Index: linux-3.4/tools/hv/hv_kvp_daemon.c
===================================================================
--- linux-3.4.orig/tools/hv/hv_kvp_daemon.c
+++ linux-3.4/tools/hv/hv_kvp_daemon.c
@@ -701,14 +701,18 @@ int main(void)
pfd.fd = fd;
while (1) {
+ struct sockaddr *addr_p = (struct sockaddr *) &addr;
+ socklen_t addr_l = sizeof(addr);
pfd.events = POLLIN;
pfd.revents = 0;
poll(&pfd, 1, -1);
- len = recv(fd, kvp_recv_buffer, sizeof(kvp_recv_buffer), 0);
+ len = recvfrom(fd, kvp_recv_buffer, sizeof(kvp_recv_buffer), 0,
+ addr_p, &addr_l);
- if (len < 0) {
- syslog(LOG_ERR, "recv failed; error:%d", len);
+ if (len < 0 || addr.nl_pid) {
+ syslog(LOG_ERR, "recvfrom failed; pid:%u error:%d %s",
+ addr.nl_pid, errno, strerror(errno));
close(fd);
return -1;
}
^ permalink raw reply [flat|nested] 2+ messages in thread
* RE: [PATCH] Tools: hv: verify origin of netlink connector message
2012-05-31 14:40 [PATCH] Tools: hv: verify origin of netlink connector message Olaf Hering
@ 2012-06-01 19:26 ` KY Srinivasan
0 siblings, 0 replies; 2+ messages in thread
From: KY Srinivasan @ 2012-06-01 19:26 UTC (permalink / raw)
To: Olaf Hering, Greg Kroah-Hartman; +Cc: linux-kernel
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="utf-8", Size: 1667 bytes --]
> -----Original Message-----
> From: Olaf Hering [mailto:olaf@aepfle.de]
> Sent: Thursday, May 31, 2012 10:40 AM
> To: KY Srinivasan; Greg Kroah-Hartman
> Cc: linux-kernel@vger.kernel.org
> Subject: [PATCH] Tools: hv: verify origin of netlink connector message
>
> The SuSE security team suggested to use recvfrom instead of recv to be
> certain that the connector message is originated from kernel.
Thanks Olaf.
>
> Signed-off-by: Olaf Hering <olaf@aepfle.de>
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
>
> ---
> tools/hv/hv_kvp_daemon.c | 10 +++++++---
> 1 file changed, 7 insertions(+), 3 deletions(-)
>
> Index: linux-3.4/tools/hv/hv_kvp_daemon.c
> ==============================================================
> =====
> --- linux-3.4.orig/tools/hv/hv_kvp_daemon.c
> +++ linux-3.4/tools/hv/hv_kvp_daemon.c
> @@ -701,14 +701,18 @@ int main(void)
> pfd.fd = fd;
>
> while (1) {
> + struct sockaddr *addr_p = (struct sockaddr *) &addr;
> + socklen_t addr_l = sizeof(addr);
> pfd.events = POLLIN;
> pfd.revents = 0;
> poll(&pfd, 1, -1);
>
> - len = recv(fd, kvp_recv_buffer, sizeof(kvp_recv_buffer), 0);
> + len = recvfrom(fd, kvp_recv_buffer, sizeof(kvp_recv_buffer), 0,
> + addr_p, &addr_l);
>
> - if (len < 0) {
> - syslog(LOG_ERR, "recv failed; error:%d", len);
> + if (len < 0 || addr.nl_pid) {
> + syslog(LOG_ERR, "recvfrom failed; pid:%u error:%d %s",
> + addr.nl_pid, errno, strerror(errno));
> close(fd);
> return -1;
> }
>
>
ÿôèº{.nÇ+‰·Ÿ®‰†+%ŠËÿ±éݶ\x17¥Šwÿº{.nÇ+‰·¥Š{±þG«éÿŠ{ayº\x1dʇڙë,j\a¢f£¢·hšïêÿ‘êçz_è®\x03(階ŠÝ¢j"ú\x1a¶^[m§ÿÿ¾\a«þG«éÿ¢¸?™¨èÚ&£ø§~á¶iO•æ¬z·švØ^\x14\x04\x1a¶^[m§ÿÿÃ\fÿ¶ìÿ¢¸?–I¥
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2012-06-01 19:28 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-05-31 14:40 [PATCH] Tools: hv: verify origin of netlink connector message Olaf Hering
2012-06-01 19:26 ` KY Srinivasan
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.