From: Ani Sinha <ani@arista.com>
To: Hannes Frederic Sowa <hannes@stressinduktion.org>
Cc: David Miller <davem@davemloft.net>,
"matthew.leach" <matthew.leach@arm.com>,
netdev@vger.kernel.org, fenner <fenner@arista.com>,
fruggeri <fruggeri@arista.com>, travisb <travisb@arista.com>
Subject: Re: [PATCH] net: socket: do not validate msg_namelen unless msg_name is non-NULL
Date: Fri, 5 Sep 2014 14:44:32 -0700 [thread overview]
Message-ID: <CAOxq_8Nvox3ABUoZFzmvMyb4XwAHx1YdTPfx9rpKAofM7crq=w@mail.gmail.com> (raw)
In-Reply-To: <1409952419.5306.29.camel@localhost>
On Fri, Sep 5, 2014 at 2:26 PM, Hannes Frederic Sowa
> If you set msg_namelen = 0 if msg_name == NULL prior to the < 0 check it
> should not trigger the return -EINVAL and also we don't run into the
> unsafe implicit conversion case when comparing msg_namelen with the
> result of the sizeof(). Do you see any problems with that?
yes, sorry I misunderstood you. Here's the updated patch :
>From ea39174d4475d7def61410210613ab24a4ce0e81 Mon Sep 17 00:00:00 2001
From: Ani Sinha <ani@aristanetworks.com>
Date: Fri, 5 Sep 2014 14:33:20 -0700
Subject: [PATCH] net:socket: set msg_namelen to 0 if msg_name is
passed as NULL in msghdr struct from userland.
Linux manpage for recvmsg and sendmsg calls does not explicitly
mention setting msg_namelen to 0 when
msg_name passed set as NULL. When developers don't set msg_namelen
member in msghdr, it might contain garbage
value which will fail the validation check and sendmsg and recvmsg
calls from kernel will return EINVAL. This will
break old binaries and any code for which there is no access to source code.
To fix this, we set msg_namelen to 0 when msg_name is passed as NULL
from userland.
Signed-off-by: Ani Sinha <ani@aristanetworks.com>
---
net/socket.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/net/socket.c b/net/socket.c
index 95ee7d8..457be6a 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -1997,6 +1997,9 @@ static int copy_msghdr_from_user(struct msghdr *kmsg,
if (copy_from_user(kmsg, umsg, sizeof(struct msghdr)))
return -EFAULT;
+ if (kmsg->msg_name == NULL)
+ kmsg->msg_namelen = 0;
+
if (kmsg->msg_namelen < 0)
return -EINVAL;
--
1.7.4.4
next prev parent reply other threads:[~2014-09-05 21:44 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-05 21:00 [PATCH] net: socket: do not validate msg_namelen unless msg_name is non-NULL Ani Sinha
2014-09-05 21:14 ` Hannes Frederic Sowa
2014-09-05 21:21 ` Ani Sinha
2014-09-05 21:26 ` Hannes Frederic Sowa
2014-09-05 21:42 ` Eric Dumazet
2014-09-05 21:44 ` Ani Sinha [this message]
2014-09-08 21:53 ` Ani Sinha
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAOxq_8Nvox3ABUoZFzmvMyb4XwAHx1YdTPfx9rpKAofM7crq=w@mail.gmail.com' \
--to=ani@arista.com \
--cc=davem@davemloft.net \
--cc=fenner@arista.com \
--cc=fruggeri@arista.com \
--cc=hannes@stressinduktion.org \
--cc=matthew.leach@arm.com \
--cc=netdev@vger.kernel.org \
--cc=travisb@arista.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.