* [PATCH net] sctp: trim optlen when it's a huge value in sctp_setsockopt
@ 2021-07-17 21:19 Xin Long
2021-07-18 16:50 ` patchwork-bot+netdevbpf
0 siblings, 1 reply; 2+ messages in thread
From: Xin Long @ 2021-07-17 21:19 UTC (permalink / raw)
To: network dev, davem, kuba, linux-sctp; +Cc: Marcelo Ricardo Leitner
After commit ca84bd058dae ("sctp: copy the optval from user space in
sctp_setsockopt"), it does memory allocation in sctp_setsockopt with
the optlen, and it would fail the allocation and return error if the
optlen from user space is a huge value.
This breaks some sockopts, like SCTP_HMAC_IDENT, SCTP_RESET_STREAMS and
SCTP_AUTH_KEY, as when processing these sockopts before, optlen would
be trimmed to a biggest value it needs when optlen is a huge value,
instead of failing the allocation and returning error.
This patch is to fix the allocation failure when it's a huge optlen from
user space by trimming it to the biggest size sctp sockopt may need when
necessary, and this biggest size is from sctp_setsockopt_reset_streams()
for SCTP_RESET_STREAMS, which is bigger than those for SCTP_HMAC_IDENT
and SCTP_AUTH_KEY.
Fixes: ca84bd058dae ("sctp: copy the optval from user space in sctp_setsockopt")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
---
net/sctp/socket.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index e64e01f61b11..6b937bfd4751 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -4577,6 +4577,10 @@ static int sctp_setsockopt(struct sock *sk, int level, int optname,
}
if (optlen > 0) {
+ /* Trim it to the biggest size sctp sockopt may need if necessary */
+ optlen = min_t(unsigned int, optlen,
+ PAGE_ALIGN(USHRT_MAX +
+ sizeof(__u16) * sizeof(struct sctp_reset_streams)));
kopt = memdup_sockptr(optval, optlen);
if (IS_ERR(kopt))
return PTR_ERR(kopt);
--
2.27.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH net] sctp: trim optlen when it's a huge value in sctp_setsockopt
2021-07-17 21:19 [PATCH net] sctp: trim optlen when it's a huge value in sctp_setsockopt Xin Long
@ 2021-07-18 16:50 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 2+ messages in thread
From: patchwork-bot+netdevbpf @ 2021-07-18 16:50 UTC (permalink / raw)
To: Xin Long; +Cc: netdev, davem, kuba, linux-sctp, marcelo.leitner
Hello:
This patch was applied to netdev/net.git (refs/heads/master):
On Sat, 17 Jul 2021 17:19:19 -0400 you wrote:
> After commit ca84bd058dae ("sctp: copy the optval from user space in
> sctp_setsockopt"), it does memory allocation in sctp_setsockopt with
> the optlen, and it would fail the allocation and return error if the
> optlen from user space is a huge value.
>
> This breaks some sockopts, like SCTP_HMAC_IDENT, SCTP_RESET_STREAMS and
> SCTP_AUTH_KEY, as when processing these sockopts before, optlen would
> be trimmed to a biggest value it needs when optlen is a huge value,
> instead of failing the allocation and returning error.
>
> [...]
Here is the summary with links:
- [net] sctp: trim optlen when it's a huge value in sctp_setsockopt
https://git.kernel.org/netdev/net/c/2f3fdd8d4805
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-07-18 16:50 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-17 21:19 [PATCH net] sctp: trim optlen when it's a huge value in sctp_setsockopt Xin Long
2021-07-18 16:50 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).