All of lore.kernel.org
 help / color / mirror / Atom feed
From: Stephen Hemminger <stephen@networkplumber.org>
To: netdev@vger.kernel.org
Subject: Fw: [Bug 205681] New: recvmg is overwriting the buffer passed in msg_name by exceeding msg_namelen
Date: Wed, 27 Nov 2019 08:08:50 -0800	[thread overview]
Message-ID: <20191127080850.2707eef0@hermes.lan> (raw)



Begin forwarded message:

Date: Wed, 27 Nov 2019 06:36:50 +0000
From: bugzilla-daemon@bugzilla.kernel.org
To: stephen@networkplumber.org
Subject: [Bug 205681] New: recvmg is overwriting the buffer passed in msg_name by exceeding msg_namelen


https://bugzilla.kernel.org/show_bug.cgi?id=205681

            Bug ID: 205681
           Summary: recvmg is overwriting the buffer passed in msg_name by
                    exceeding msg_namelen
           Product: Networking
           Version: 2.5
    Kernel Version: 5.4,4.0,3.0,2.6
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: high
          Priority: P1
         Component: IPV4
          Assignee: stephen@networkplumber.org
          Reporter: sudheendrasp@gmail.com
        Regression: No

if (msg->msg_name) {
        struct sockaddr_rxrpc *srx = msg->msg_name;
        size_t len = sizeof(call->peer->srx);

        memcpy(msg->msg_name, &call->peer->srx, len);
        srx->srx_service = call->service_id;
        msg->msg_namelen = len;
    }


As seen, recvmsg is doing memcpy of len which can be greater than msg_namelen
passed.

-- 
You are receiving this mail because:
You are the assignee for the bug.

             reply	other threads:[~2019-11-27 16:09 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-27 16:08 Stephen Hemminger [this message]
2019-11-27 17:13 ` Fw: [Bug 205681] New: recvmg is overwriting the buffer passed in msg_name by exceeding msg_namelen Willem de Bruijn

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191127080850.2707eef0@hermes.lan \
    --to=stephen@networkplumber.org \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.