From: Tom Parkin <tparkin@katalix.com>
To: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
Cc: James Chapman <jchapman@katalix.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"lvc-project@linuxtesting.org" <lvc-project@linuxtesting.org>
Subject: Re: [PATCH net-next] l2tp: fix incorrect parameter validation in the pppol2tp_getsockopt() function
Date: Wed, 6 Mar 2024 13:14:23 +0000 [thread overview]
Message-ID: <ZehsL8sHd3vgplv1@katalix.com> (raw)
In-Reply-To: <20240306095449.1782369-1-Ilia.Gavrilov@infotecs.ru>
[-- Attachment #1: Type: text/plain, Size: 1566 bytes --]
On Wed, Mar 06, 2024 at 09:58:10 +0000, Gavrilov Ilia wrote:
> diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
> index f011af6601c9..6146e4e67bbb 100644
> --- a/net/l2tp/l2tp_ppp.c
> +++ b/net/l2tp/l2tp_ppp.c
> @@ -1356,11 +1356,11 @@ static int pppol2tp_getsockopt(struct socket *sock, int level, int optname,
> if (get_user(len, optlen))
> return -EFAULT;
>
> - len = min_t(unsigned int, len, sizeof(int));
> -
> if (len < 0)
> return -EINVAL;
>
> + len = min_t(unsigned int, len, sizeof(int));
> +
> err = -ENOTCONN;
> if (!sk->sk_user_data)
> goto end;
I think this code in l2tp_ppp.c has probably been inspired by a
similar implementations elsewhere in the kernel -- for example
net/ipv4/udp.c udp_lib_getsockopt does the same thing, and apparently
has been that way since the dawn of git time.
I note however that plenty of other getsockopt implementations which
are using min_t(unsigned int, len, sizeof(int)) don't check the length
value at all: as an example, net/ipv6/raw.c do_rawv6_getsockopt.
As it stands right now in the l2tp_ppp.c code, I think the check on
len will end up doing nothing, as you point out.
So moving the len check to before the min_t() call may in theory
possibly catch out (insane?) userspace code passing in negative
numbers which may "work" with the current kernel code.
I wonder whether its safer therefore to remove the len check
altogether?
--
Tom Parkin
Katalix Systems Ltd
https://katalix.com
Catalysts for your Embedded Linux software development
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
next prev parent reply other threads:[~2024-03-06 13:20 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-06 9:58 [PATCH net-next] l2tp: fix incorrect parameter validation in the pppol2tp_getsockopt() function Gavrilov Ilia
2024-03-06 13:14 ` Tom Parkin [this message]
2024-03-06 13:46 ` Gavrilov Ilia
2024-03-06 14:32 ` Tom Parkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZehsL8sHd3vgplv1@katalix.com \
--to=tparkin@katalix.com \
--cc=Ilia.Gavrilov@infotecs.ru \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=jchapman@katalix.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lvc-project@linuxtesting.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.