[PATCH] Bug in sendto() causes OOPS when using RAW sockets

[PATCH] Bug in sendto() causes OOPS when using RAW sockets

[Octavian Cerna]

[-- Attachment #1: Type: text/plain, Size: 630 bytes --]

 
Hi,
 
Studying the implementation of raw IPv4 sockets I found that calling
sendto() on a raw socket with a NULL socket address generates a kernel
OOPS.
 
I checked this on kernel 2.4.3, but I also checked the sources in CVS on
vger -- the bug is still there.
 
The problem is that raw_sendmsg() in net/ipv4/raw.c blindly assumes that
msg_name is valid if msg_namelen is non-zero. I found that sys_sendto()
doesn't  correctly build the msghdr structure if the socket address is
NULL.
 
I attached a small patch to fix this issue, a C program for testing the
problem and my OOPS log.
 
 
Best Regards,
 
Octavian Cerna
IGREC Labs

[-- Attachment #2: sendto.diff --]
[-- Type: application/octet-stream, Size: 470 bytes --]

--- linux-orig/net/socket.c	Sun Apr 29 21:25:51 2001
+++ linux/net/socket.c	Wed Aug 22 18:00:41 2001
@@ -1203,13 +1203,14 @@
 	msg.msg_iovlen=1;
 	msg.msg_control=NULL;
 	msg.msg_controllen=0;
-	msg.msg_namelen=addr_len;
+	msg.msg_namelen=0;
 	if(addr)
 	{
 		err = move_addr_to_kernel(addr, addr_len, address);
 		if (err < 0)
 			goto out_put;
 		msg.msg_name=address;
+		msg.msg_namelen=addr_len;
 	}
 	if (sock->file->f_flags & O_NONBLOCK)
 		flags |= MSG_DONTWAIT;

[-- Attachment #3: sendto.c --]
[-- Type: application/octet-stream, Size: 525 bytes --]

#include <sys/socket.h>
#include <netinet/in.h>
#include <stdio.h>
#include <errno.h>

int main ()
{
  char buffer[64];  
  int fd = socket (PF_INET, SOCK_RAW, IPPROTO_RAW);
  if (fd < 0)
    {
      fprintf (stderr, "Can't create raw socket: %s\n", strerror (errno));
      return 1;
    }
    
  /* On a buggy kernel the next line generates an oops, 
     on a fixed kernel it returns -1 with errno == EINVAL. */
  sendto (fd, buffer, 64, 0, NULL, 16);  
  printf ("sendto() => %s\n", strerror (errno));
  
  close (fd);
}

[-- Attachment #4: sendto.oops --]
[-- Type: application/octet-stream, Size: 3222 bytes --]

Aug 22 15:55:18 localhost kernel:  <1>Unable to handle kernel NULL pointer dereference at virtual address 00000000
Aug 22 15:55:18 localhost kernel: c0202056
Aug 22 15:55:18 localhost kernel: Oops: 0000
Aug 22 15:55:18 localhost kernel: CPU:    0
Aug 22 15:55:18 localhost kernel: EIP:    0010:[raw_sendmsg+86/720]
Aug 22 15:55:18 localhost kernel: EIP:    0010:[<c0202056>]
Aug 22 15:55:18 localhost kernel: EFLAGS: 00010212
Aug 22 15:55:18 localhost kernel: eax: 00000010   ebx: 00000000   ecx: 00000000   edx: cc2c7ecc
Aug 22 15:55:18 localhost kernel: esi: cfa0bdd8   edi: c07bb840   ebp: cfa0bdd8   esp: cfa0bce8
Aug 22 15:55:18 localhost kernel: ds: 0018   es: 0018   ss: 0018
Aug 22 15:55:18 localhost kernel: Process sendto (pid: 12175, stackpage=cfa0b000)
Aug 22 15:55:18 localhost kernel: Stack: 00000000 00000000 00000002 cb4839c0 00000001 00000000 08048000 c3a29bc0 
Aug 22 15:55:18 localhost kernel:        40000000 cfa0bd54 00000307 0000142d 03070000 c0182163 cfa0bd54 cff15c00 
Aug 22 15:55:18 localhost kernel:        00000307 0000142d 03072ffe 00002033 cfa0be38 c0138746 00000307 cfa0be4c 
Aug 22 15:55:18 localhost kernel: Call Trace: [journal_end+19/32] [bread+22/112] [inet_sendmsg+51/64] [sys_sendto+393/448] [vsprintf+908/960] 
Aug 22 15:55:18 localhost kernel: Call Trace: [<c0182163>] [<c0138746>] [<c0208d83>] [<c01d45a9>] [<c0211cbc>] 
Aug 22 15:55:18 localhost kernel:    [<c0148974>] [<c0211d02>] [<c01d369d>] [<c012eacb>] [<c01d5063>] [<c0124444>] 
Aug 22 15:55:18 localhost kernel:    [<c014adba>] [<c0112ec0>] [<c011301a>] [<ffff0001>] [<c010bd14>] [<c0133e56>] 
Aug 22 15:55:18 localhost kernel:    [<c0106d83>] 
Aug 22 15:55:18 localhost kernel: Code: 66 83 3b 02 74 36 a1 c0 e9 2a c0 40 a3 c0 e9 2a c0 48 75 19 

>>EIP; c0202056 <raw_sendmsg+56/2d0>   <=====
Trace; c0182163 <journal_end+13/20>
Trace; c0138746 <bread+16/70>
Trace; c0208d83 <inet_sendmsg+33/40>
Trace; c01d45a9 <sys_sendto+189/1c0>
Trace; c0211cbc <vsprintf+38c/3c0>
Trace; c0148974 <d_alloc+14/170>
Trace; c0211d02 <sprintf+12/20>
Trace; c01d369d <sock_map_fd+ed/160>
Trace; c012eacb <__alloc_pages+6b/340>
Trace; c01d5063 <sys_socketcall+373/640>
Trace; c0124444 <handle_mm_fault+64/d0>
Trace; c014adba <__mark_inode_dirty+2a/70>
Trace; c0112ec0 <do_page_fault+0/520>
Trace; c011301a <do_page_fault+15a/520>
Trace; ffff0001 <END_OF_CODE+2f5bf2fb/????>
Trace; c010bd14 <old_mmap+f4/130>
Trace; c0133e56 <sys_close+86/a0>
Trace; c0106d83 <system_call+33/38>
Code;  c0202056 <raw_sendmsg+56/2d0>
00000000 <_EIP>:
Code;  c0202056 <raw_sendmsg+56/2d0>   <=====
   0:   66 83 3b 02               cmpw   $0x2,(%ebx)   <=====
Code;  c020205a <raw_sendmsg+5a/2d0>
   4:   74 36                     je     3c <_EIP+0x3c> c0202092 <raw_sendmsg+92/2d0>
Code;  c020205c <raw_sendmsg+5c/2d0>
   6:   a1 c0 e9 2a c0            mov    0xc02ae9c0,%eax
Code;  c0202061 <raw_sendmsg+61/2d0>
   b:   40                        inc    %eax
Code;  c0202062 <raw_sendmsg+62/2d0>
   c:   a3 c0 e9 2a c0            mov    %eax,0xc02ae9c0
Code;  c0202067 <raw_sendmsg+67/2d0>
  11:   48                        dec    %eax
Code;  c0202068 <raw_sendmsg+68/2d0>
  12:   75 19                     jne    2d <_EIP+0x2d> c0202083 <raw_sendmsg+83/2d0>

Re: [PATCH] Bug in sendto() causes OOPS when using RAW sockets

[David S. Miller]

   From: "Octavian Cerna" <tavy@igreconline.com>
   Date: Wed, 22 Aug 2001 19:07:36 +0300
    
   I attached a small patch to fix this issue, a C program for testing the
   problem and my OOPS log.
    
Thanks, I've applied your fix to my tree.

Later,
David S. Miller
davem@redhat.com