From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: stable-review@kernel.org, torvalds@linux-foundation.org,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
Arnaldo Carvalho de Melo <acme@redhat.com>
Subject: [patch 34/37] appletalk: Fix skb leak when ipddp interface is not loaded
Date: Fri, 09 Oct 2009 16:34:45 -0700 [thread overview]
Message-ID: <20091009233440.435295049@mini.kroah.org> (raw)
In-Reply-To: <20091009233812.GA15982@kroah.com>
[-- Attachment #1: appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded.patch --]
[-- Type: text/plain, Size: 6105 bytes --]
2.6.31-stable review patch. If anyone has any objections, please let us know.
------------------
From: Arnaldo Carvalho de Melo <acme@redhat.com>
[ Upstream commit ffcfb8db540ff879c2a85bf7e404954281443414 ]
And also do a better job of returning proper NET_{RX,XMIT}_ values.
Based on a patch by Mark Smith.
This fixes CVE-2009-2903
Reported-by: Mark Smith <lk-netdev@lk-netdev.nosense.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/net/appletalk/ipddp.c | 3 --
net/appletalk/aarp.c | 16 +++++++----
net/appletalk/ddp.c | 58 ++++++++++++++++++++++--------------------
3 files changed, 43 insertions(+), 34 deletions(-)
--- a/drivers/net/appletalk/ipddp.c
+++ b/drivers/net/appletalk/ipddp.c
@@ -176,8 +176,7 @@ static int ipddp_xmit(struct sk_buff *sk
dev->stats.tx_packets++;
dev->stats.tx_bytes += skb->len;
- if(aarp_send_ddp(rt->dev, skb, &rt->at, NULL) < 0)
- dev_kfree_skb(skb);
+ aarp_send_ddp(rt->dev, skb, &rt->at, NULL);
spin_unlock(&ipddp_route_lock);
--- a/net/appletalk/aarp.c
+++ b/net/appletalk/aarp.c
@@ -599,7 +599,7 @@ int aarp_send_ddp(struct net_device *dev
/* Non ELAP we cannot do. */
if (dev->type != ARPHRD_ETHER)
- return -1;
+ goto free_it;
skb->dev = dev;
skb->protocol = htons(ETH_P_ATALK);
@@ -634,7 +634,7 @@ int aarp_send_ddp(struct net_device *dev
if (!a) {
/* Whoops slipped... good job it's an unreliable protocol 8) */
write_unlock_bh(&aarp_lock);
- return -1;
+ goto free_it;
}
/* Set up the queue */
@@ -663,15 +663,21 @@ out_unlock:
write_unlock_bh(&aarp_lock);
/* Tell the ddp layer we have taken over for this frame. */
- return 0;
+ goto sent;
sendit:
if (skb->sk)
skb->priority = skb->sk->sk_priority;
- dev_queue_xmit(skb);
+ if (dev_queue_xmit(skb))
+ goto drop;
sent:
- return 1;
+ return NET_XMIT_SUCCESS;
+free_it:
+ kfree_skb(skb);
+drop:
+ return NET_XMIT_DROP;
}
+EXPORT_SYMBOL(aarp_send_ddp);
/*
* An entry in the aarp unresolved queue has become resolved. Send
--- a/net/appletalk/ddp.c
+++ b/net/appletalk/ddp.c
@@ -1270,8 +1270,10 @@ static int handle_ip_over_ddp(struct sk_
struct net_device_stats *stats;
/* This needs to be able to handle ipddp"N" devices */
- if (!dev)
- return -ENODEV;
+ if (!dev) {
+ kfree_skb(skb);
+ return NET_RX_DROP;
+ }
skb->protocol = htons(ETH_P_IP);
skb_pull(skb, 13);
@@ -1281,8 +1283,7 @@ static int handle_ip_over_ddp(struct sk_
stats = netdev_priv(dev);
stats->rx_packets++;
stats->rx_bytes += skb->len + 13;
- netif_rx(skb); /* Send the SKB up to a higher place. */
- return 0;
+ return netif_rx(skb); /* Send the SKB up to a higher place. */
}
#else
/* make it easy for gcc to optimize this test out, i.e. kill the code */
@@ -1290,9 +1291,8 @@ static int handle_ip_over_ddp(struct sk_
#define handle_ip_over_ddp(skb) 0
#endif
-static void atalk_route_packet(struct sk_buff *skb, struct net_device *dev,
- struct ddpehdr *ddp, __u16 len_hops,
- int origlen)
+static int atalk_route_packet(struct sk_buff *skb, struct net_device *dev,
+ struct ddpehdr *ddp, __u16 len_hops, int origlen)
{
struct atalk_route *rt;
struct atalk_addr ta;
@@ -1359,8 +1359,6 @@ static void atalk_route_packet(struct sk
/* 22 bytes - 12 ether, 2 len, 3 802.2 5 snap */
struct sk_buff *nskb = skb_realloc_headroom(skb, 32);
kfree_skb(skb);
- if (!nskb)
- goto out;
skb = nskb;
} else
skb = skb_unshare(skb, GFP_ATOMIC);
@@ -1369,12 +1367,18 @@ static void atalk_route_packet(struct sk
* If the buffer didn't vanish into the lack of space bitbucket we can
* send it.
*/
- if (skb && aarp_send_ddp(rt->dev, skb, &ta, NULL) == -1)
- goto free_it;
-out:
- return;
+ if (skb == NULL)
+ goto drop;
+
+ /*
+ * It is OK, NET_XMIT_SUCCESS == NET_RX_SUCCESS and
+ * NET_XMIT_DROP == NET_RX_DROP
+ */
+ return aarp_send_ddp(rt->dev, skb, &ta, NULL);
free_it:
kfree_skb(skb);
+drop:
+ return NET_RX_DROP;
}
/**
@@ -1404,7 +1408,7 @@ static int atalk_rcv(struct sk_buff *skb
/* Don't mangle buffer if shared */
if (!(skb = skb_share_check(skb, GFP_ATOMIC)))
- goto out;
+ goto drop;
/* Size check and make sure header is contiguous */
if (!pskb_may_pull(skb, sizeof(*ddp)))
@@ -1448,8 +1452,7 @@ static int atalk_rcv(struct sk_buff *skb
/* Not ours, so we route the packet via the correct
* AppleTalk iface
*/
- atalk_route_packet(skb, dev, ddp, len_hops, origlen);
- goto out;
+ return atalk_route_packet(skb, dev, ddp, len_hops, origlen);
}
/* if IP over DDP is not selected this code will be optimized out */
@@ -1472,11 +1475,12 @@ static int atalk_rcv(struct sk_buff *skb
if (sock_queue_rcv_skb(sock, skb) < 0)
goto freeit;
-out:
- return 0;
+
+ return NET_RX_SUCCESS;
freeit:
kfree_skb(skb);
- goto out;
+drop:
+ return NET_RX_DROP;
}
/*
@@ -1652,10 +1656,10 @@ static int atalk_sendmsg(struct kiocb *i
if (skb2) {
loopback = 1;
SOCK_DEBUG(sk, "SK %p: send out(copy).\n", sk);
- if (aarp_send_ddp(dev, skb2,
- &usat->sat_addr, NULL) == -1)
- kfree_skb(skb2);
- /* else queued/sent above in the aarp queue */
+ /*
+ * If it fails it is queued/sent above in the aarp queue
+ */
+ aarp_send_ddp(dev, skb2, &usat->sat_addr, NULL);
}
}
@@ -1685,9 +1689,10 @@ static int atalk_sendmsg(struct kiocb *i
usat = &gsat;
}
- if (aarp_send_ddp(dev, skb, &usat->sat_addr, NULL) == -1)
- kfree_skb(skb);
- /* else queued/sent above in the aarp queue */
+ /*
+ * If it fails it is queued/sent above in the aarp queue
+ */
+ aarp_send_ddp(dev, skb, &usat->sat_addr, NULL);
}
SOCK_DEBUG(sk, "SK %p: Done write (%Zd).\n", sk, len);
@@ -1865,7 +1870,6 @@ static struct packet_type ppptalk_packet
static unsigned char ddp_snap_id[] = { 0x08, 0x00, 0x07, 0x80, 0x9B };
/* Export symbols for use by drivers when AppleTalk is a module */
-EXPORT_SYMBOL(aarp_send_ddp);
EXPORT_SYMBOL(atrtr_get_dev);
EXPORT_SYMBOL(atalk_find_dev_addr);
next prev parent reply other threads:[~2009-10-09 23:42 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20091009230836.316410305@mini.kroah.org>
2009-10-09 23:12 ` [patch 00/26] 2.6.31.4-stable review Greg KH
2009-10-09 23:08 ` [patch 01/26] x86: fix csum_ipv6_magic asm memory clobber Greg KH
2009-10-09 23:08 ` [patch 02/26] tty: Avoid dropping ldisc_mutex over hangup tty re-initialization Greg KH
2009-10-09 23:08 ` [patch 03/26] x86: Dont leak 64-bit kernel register values to 32-bit processes Greg KH
2009-10-09 23:08 ` [patch 04/26] ALSA: hda - Added quirk to enable sound on Toshiba NB200 Greg KH
2009-10-09 23:08 ` [patch 05/26] tracing: correct module boundaries for ftrace_release Greg KH
2009-10-09 23:08 ` [patch 06/26] ftrace: check for failure for all conversions Greg KH
2009-10-09 23:08 ` [patch 07/26] futex: fix requeue_pi key imbalance Greg KH
2009-10-09 23:08 ` [patch 08/26] futex: Move exit_pi_state() call to release_mm() Greg KH
2009-10-09 23:08 ` [patch 09/26] futex: Nullify robust lists after cleanup Greg KH
2009-10-09 23:08 ` [patch 10/26] futex: Fix locking imbalance Greg KH
2009-10-09 23:08 ` [patch 11/26] NOHZ: update idle state also when NOHZ is inactive Greg KH
2009-10-09 23:08 ` [patch 12/26] ima: ecryptfs fix imbalance message Greg KH
2009-10-09 23:08 ` [patch 13/26] libata: fix incorrect link online check during probe Greg KH
2009-10-09 23:08 ` [patch 14/26] sound: via82xx: move DXS volume controls to PCM interface Greg KH
2009-10-09 23:08 ` [patch 15/26] ASoC: WM8350 capture PGA mutes are inverted Greg KH
2009-10-09 23:08 ` [patch 16/26] KVM: Prevent overflow in KVM_GET_SUPPORTED_CPUID Greg KH
2009-10-09 23:08 ` [patch 17/26] KVM: VMX: flush TLB with INVEPT on cpu migration Greg KH
2009-10-09 23:08 ` [patch 18/26] KVM: fix LAPIC timer period overflow Greg KH
2009-10-09 23:08 ` [patch 19/26] KVM: SVM: Fix tsc offset adjustment when running nested Greg KH
2009-10-09 23:08 ` [patch 20/26] net: Fix wrong sizeof Greg KH
2009-10-09 23:08 ` [patch 21/26] mm: add_to_swap_cache() must not sleep Greg KH
2009-10-09 23:08 ` [patch 22/26] sis5513: fix PIO setup for ATAPI devices Greg KH
2009-10-09 23:08 ` [patch 23/26] PIT fixes to unbreak suspend/resume (bug #14222) Greg KH
2009-10-09 23:09 ` [patch 24/26] IMA: open new file for read Greg KH
2009-10-09 23:09 ` [patch 25/26] ACPI: Clarify resource conflict message Greg KH
2009-10-09 23:09 ` [patch 26/26] ACPI: fix Compaq Evo N800c (Pentium 4m) boot hang regression Greg KH
2009-10-09 23:38 ` [patch 00/26] 2.6.31.4-stable review Greg KH
2009-10-09 23:34 ` [patch 27/37] net: restore tx timestamping for accelerated vlans Greg KH
2009-10-09 23:34 ` [patch 28/37] net: unix: fix sending fds in multiple buffers Greg KH
2009-10-09 23:34 ` [patch 29/37] tun: Return -EINVAL if neither IFF_TUN nor IFF_TAP is set Greg KH
2009-10-13 12:36 ` [Stable-review] " Stefan Bader
2009-10-09 23:34 ` [patch 30/37] tcp: fix CONFIG_TCP_MD5SIG + CONFIG_PREEMPT timer BUG() Greg KH
2009-10-09 23:34 ` [patch 31/37] net: Fix sock_wfree() race Greg KH
2009-10-09 23:34 ` [patch 32/37] smsc95xx: fix transmission where ZLP is expected Greg KH
2009-10-09 23:34 ` [patch 33/37] sky2: Set SKY2_HW_RAM_BUFFER in sky2_init Greg KH
2009-10-09 23:34 ` Greg KH [this message]
2009-10-09 23:34 ` [patch 35/37] ax25: Fix possible oops in ax25_make_new Greg KH
2009-10-09 23:34 ` [patch 36/37] ax25: Fix SIOCAX25GETINFO ioctl Greg KH
2009-10-09 23:34 ` [patch 37/37] sit: fix off-by-one in ipip6_tunnel_get_prl Greg KH
2009-10-10 0:34 ` Templin, Fred L
2009-10-10 3:42 ` David Miller
2009-10-11 1:29 ` Wolfgang Walter
2009-10-12 23:58 ` Templin, Fred L
2009-10-12 22:04 ` [stable] " Greg KH
2009-10-12 23:29 ` [stable] [patch 37/37] sit: fix off-by-one inipip6_tunnel_get_prl Templin, Fred L
2009-10-12 23:58 ` Greg KH
2009-10-13 0:12 ` David Miller
2009-10-12 23:12 ` [patch 37/37] sit: fix off-by-one in ipip6_tunnel_get_prl Templin, Fred L
2009-10-10 7:17 ` [Stable-review] [patch 00/26] 2.6.31.4-stable review Willy Tarreau
2009-10-10 7:22 ` [stable] " Greg KH
2009-10-10 7:46 ` Willy Tarreau
2009-10-12 11:09 ` Thomas Voegtle
2009-10-12 12:34 ` [Stable-review] " Chuck Ebbert
[not found] <20091009233411.852013234@mini.kroah.org>
[not found] ` <20091009233440.7866800 01@mini.kroah.org>
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20091009233440.435295049@mini.kroah.org \
--to=gregkh@suse.de \
--cc=acme@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.