From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org,
Greg KH <greg@kroah.com>
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>,
Domenico Andreoli <cavokz@gmail.com>, Willy Tarreau <w@1wt.eu>,
Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
Jake Edge <jake@lwn.net>,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk,
Linux Netdev List <netdev@vger.kernel.org>,
Oliver Hartkopp <oliver.hartkopp@volkswagen.de>,
Andre Naujoks <nautsch@gmail.com>,
David Miller <davem@davemloft.net>,
Urs Thuermann <urs.thuermann@volkswagen.de>
Subject: [patch 24/47] can: add sanity checks
Date: Tue, 22 Jul 2008 16:16:17 -0700 [thread overview]
Message-ID: <20080722231617.GY8282@suse.de> (raw)
In-Reply-To: <20080722231342.GA8282@suse.de>
[-- Attachment #1: can-add-sanity-checks.patch --]
[-- Type: text/plain, Size: 4352 bytes --]
2.6.25-stable review patch. If anyone has any objections, please let us
know.
------------------
From: Oliver Hartkopp <oliver@hartkopp.net>
commit 7f2d38eb7a42bea1c1df51bbdaa2ca0f0bdda07f upstream
Even though the CAN netlayer only deals with CAN netdevices, the
netlayer interface to the userspace and to the device layer should
perform some sanity checks.
This patch adds several sanity checks that mainly prevent userspace apps
to send broken content into the system that may be misinterpreted by
some other userspace application.
Signed-off-by: Oliver Hartkopp <oliver.hartkopp@volkswagen.de>
Signed-off-by: Urs Thuermann <urs.thuermann@volkswagen.de>
Acked-by: Andre Naujoks <nautsch@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
net/can/af_can.c | 10 ++++++++++
net/can/bcm.c | 23 +++++++++++++++++++----
net/can/raw.c | 3 +++
3 files changed, 32 insertions(+), 4 deletions(-)
--- a/net/can/af_can.c
+++ b/net/can/af_can.c
@@ -205,12 +205,19 @@ static int can_create(struct net *net, s
* -ENOBUFS on full driver queue (see net_xmit_errno())
* -ENOMEM when local loopback failed at calling skb_clone()
* -EPERM when trying to send on a non-CAN interface
+ * -EINVAL when the skb->data does not contain a valid CAN frame
*/
int can_send(struct sk_buff *skb, int loop)
{
struct sk_buff *newskb = NULL;
+ struct can_frame *cf = (struct can_frame *)skb->data;
int err;
+ if (skb->len != sizeof(struct can_frame) || cf->can_dlc > 8) {
+ kfree_skb(skb);
+ return -EINVAL;
+ }
+
if (skb->dev->type != ARPHRD_CAN) {
kfree_skb(skb);
return -EPERM;
@@ -605,6 +612,7 @@ static int can_rcv(struct sk_buff *skb,
struct packet_type *pt, struct net_device *orig_dev)
{
struct dev_rcv_lists *d;
+ struct can_frame *cf = (struct can_frame *)skb->data;
int matches;
if (dev->type != ARPHRD_CAN || dev->nd_net != &init_net) {
@@ -612,6 +620,8 @@ static int can_rcv(struct sk_buff *skb,
return 0;
}
+ BUG_ON(skb->len != sizeof(struct can_frame) || cf->can_dlc > 8);
+
/* update statistics */
can_stats.rx_frames++;
can_stats.rx_frames_delta++;
--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -326,7 +326,7 @@ static void bcm_send_to_user(struct bcm_
if (head->nframes) {
/* can_frames starting here */
- firstframe = (struct can_frame *) skb_tail_pointer(skb);
+ firstframe = (struct can_frame *)skb_tail_pointer(skb);
memcpy(skb_put(skb, datalen), frames, datalen);
@@ -818,6 +818,10 @@ static int bcm_tx_setup(struct bcm_msg_h
for (i = 0; i < msg_head->nframes; i++) {
err = memcpy_fromiovec((u8 *)&op->frames[i],
msg->msg_iov, CFSIZ);
+
+ if (op->frames[i].can_dlc > 8)
+ err = -EINVAL;
+
if (err < 0)
return err;
@@ -850,6 +854,10 @@ static int bcm_tx_setup(struct bcm_msg_h
for (i = 0; i < msg_head->nframes; i++) {
err = memcpy_fromiovec((u8 *)&op->frames[i],
msg->msg_iov, CFSIZ);
+
+ if (op->frames[i].can_dlc > 8)
+ err = -EINVAL;
+
if (err < 0) {
if (op->frames != &op->sframe)
kfree(op->frames);
@@ -1161,9 +1169,12 @@ static int bcm_tx_send(struct msghdr *ms
skb->dev = dev;
skb->sk = sk;
- can_send(skb, 1); /* send with loopback */
+ err = can_send(skb, 1); /* send with loopback */
dev_put(dev);
+ if (err)
+ return err;
+
return CFSIZ + MHSIZ;
}
@@ -1182,6 +1193,10 @@ static int bcm_sendmsg(struct kiocb *ioc
if (!bo->bound)
return -ENOTCONN;
+ /* check for valid message length from userspace */
+ if (size < MHSIZ || (size - MHSIZ) % CFSIZ)
+ return -EINVAL;
+
/* check for alternative ifindex for this bcm_op */
if (!ifindex && msg->msg_name) {
@@ -1256,8 +1271,8 @@ static int bcm_sendmsg(struct kiocb *ioc
break;
case TX_SEND:
- /* we need at least one can_frame */
- if (msg_head.nframes < 1)
+ /* we need exactly one can_frame behind the msg head */
+ if ((msg_head.nframes != 1) || (size != CFSIZ + MHSIZ))
ret = -EINVAL;
else
ret = bcm_tx_send(msg, ifindex, sk);
--- a/net/can/raw.c
+++ b/net/can/raw.c
@@ -632,6 +632,9 @@ static int raw_sendmsg(struct kiocb *ioc
} else
ifindex = ro->ifindex;
+ if (size != sizeof(struct can_frame))
+ return -EINVAL;
+
dev = dev_get_by_index(&init_net, ifindex);
if (!dev)
return -ENXIO;
--
next prev parent reply other threads:[~2008-07-22 23:26 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20080722230208.148102983@mini.kroah.org>
2008-07-22 23:13 ` [patch 00/47] 2.6.25-stable review Greg KH
2008-07-22 23:14 ` [patch 01/47] b43legacy: Do not return TX_BUSY from op_tx Greg KH
2008-07-22 23:14 ` [patch 02/47] b43: " Greg KH
2008-07-22 23:14 ` [patch 03/47] b43: Fix possible MMIO access while device is down Greg KH
2008-07-22 23:14 ` [patch 04/47] mac80211: detect driver tx bugs Greg KH
2008-07-22 23:14 ` [patch 05/47] block: Fix the starving writes bug in the anticipatory IO scheduler Greg KH
2008-07-22 23:14 ` [patch 06/47] md: Fix error paths if md_probe fails Greg KH
2008-07-22 23:14 ` [patch 07/47] md: Dont acknowlege that stripe-expand is complete until it really is Greg KH
2008-07-22 23:14 ` [patch 08/47] md: Ensure interrupted recovery completed properly (v1 metadata plus bitmap) Greg KH
2008-07-22 23:14 ` [patch 09/47] block: Properly notify block layer of sync writes Greg KH
2008-07-22 23:14 ` [patch 10/47] OHCI: Fix problem if SM501 and another platform driver is selected Greg KH
2008-07-22 23:14 ` [patch 11/47] USB: ehci - fix timer regression Greg KH
2008-07-22 23:14 ` [patch 12/47] USB: ohci - record data toggle after unlink Greg KH
2008-07-22 23:15 ` [patch 13/47] USB: fix interrupt disabling for HCDs with shared interrupt handlers Greg KH
2008-07-22 23:15 ` [patch 14/47] hdaps: add support for various newer Lenovo thinkpads Greg KH
2008-07-22 23:15 ` [patch 15/47] b43legacy: Fix possible NULL pointer dereference in DMA code Greg KH
2008-07-22 23:15 ` [patch 16/47] netdrvr: 3c59x: remove irqs_disabled warning from local_bh_enable Greg KH
2008-07-22 23:15 ` [patch 17/47] SCSI: esp: Fix OOPS in esp_reset_cleanup() Greg KH
2008-07-22 23:15 ` [patch 18/47] SCSI: esp: tidy up target reference counting Greg KH
2008-07-22 23:15 ` [patch 19/47] SCSI: ses: Fix timeout Greg KH
2008-07-22 23:16 ` [patch 20/47] mm: switch node meminfo Active & Inactive pages to Kbytes Greg KH
2008-07-22 23:16 ` [patch 21/47] reiserfs: discard prealloc in reiserfs_delete_inode Greg KH
2008-07-22 23:16 ` [patch 22/47] cciss: read config to obtain max outstanding commands per controller Greg KH
2008-07-22 23:16 ` [patch 23/47] serial: fix serial_match_port() for dynamic major tty-device numbers Greg KH
2008-07-22 23:16 ` Greg KH [this message]
2008-07-22 23:16 ` [patch 25/47] sisusbvga: Fix oops on disconnect Greg KH
2008-07-22 23:16 ` [patch 26/47] md: ensure all blocks are uptodate or locked when syncing Greg KH
2008-07-22 23:16 ` [patch 27/47] textsearch: fix Boyer-Moore text search bug Greg KH
2008-07-22 23:16 ` [patch 28/47] netfilter: nf_conntrack_tcp: fixing to check the lower bound of valid ACK Greg KH
2008-07-22 23:16 ` [patch 29/47] zd1211rw: add ID for AirTies WUS-201 Greg KH
2008-07-22 23:16 ` [patch 30/47] exec: fix stack excutability without PT_GNU_STACK Greg KH
2008-07-22 23:16 ` [patch 31/47] slub: Fix use-after-preempt of per-CPU data structure Greg KH
2008-07-22 23:16 ` [patch 32/47] rtc: fix reported IRQ rate for when HPET is enabled Greg KH
2008-07-22 23:16 ` [patch 33/47] rapidio: fix device reference counting Greg KH
2008-07-22 23:16 ` [patch 34/47] tpm: add Intel TPM TIS device HID Greg KH
2008-07-22 23:16 ` [patch 35/47] cifs: fix wksidarr declaration to be big-endian friendly Greg KH
2008-07-22 23:16 ` [patch 36/47] ov7670: clean up ov7670_read semantics Greg KH
2008-07-22 23:17 ` [patch 37/47] serial8250: sanity check nr_uarts on all paths Greg KH
2008-07-22 23:17 ` [patch 38/47] fbdev: bugfix for multiprocess defio Greg KH
2008-07-22 23:17 ` [patch 39/47] drivers/isdn/i4l/isdn_common.c fix small resource leak Greg KH
2008-07-22 23:17 ` [patch 40/47] drivers/char/pcmcia/ipwireless/hardware.c fix " Greg KH
2008-07-22 23:17 ` [patch 41/47] SCSI: mptspi: fix oops in mptspi_dv_renegotiate_work() Greg KH
2008-07-22 23:17 ` [patch 42/47] crypto: chainiv - Invoke completion function Greg KH
2008-07-22 23:17 ` [patch 43/47] powerpc: Add missing reference to coherent_dma_mask Greg KH
2008-07-22 23:17 ` [patch 44/47] pxamci: fix byte aligned DMA transfers Greg KH
2008-07-23 7:01 ` pHilipp Zabel
2008-07-23 20:12 ` [stable] " Greg KH
2008-07-23 20:24 ` Linus Torvalds
2008-07-23 20:32 ` Greg KH
2008-07-24 10:33 ` pHilipp Zabel
2008-07-24 15:05 ` Greg KH
2008-07-24 19:22 ` Linus Torvalds
2008-07-24 20:34 ` Pierre Ossman
2008-07-22 23:17 ` [patch 45/47] mmc: dont use DMA on newer ENE controllers Greg KH
2008-07-22 23:17 ` [patch 46/47] hrtimer: prevent migration for raising softirq Greg KH
2008-07-22 23:17 ` [patch 47/47] V4L/DVB (7475): Added support for Terratec Cinergy T USB XXS Greg KH
2008-07-23 4:42 ` [patch 00/47] 2.6.25-stable review Michael Krufky
2008-07-23 4:51 ` Michael Krufky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080722231617.GY8282@suse.de \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=cavokz@gmail.com \
--cc=cebbert@redhat.com \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=davem@davemloft.net \
--cc=greg@kroah.com \
--cc=jake@lwn.net \
--cc=jmforbes@linuxtx.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mkrufky@linuxtv.org \
--cc=nautsch@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=oliver.hartkopp@volkswagen.de \
--cc=rbranco@la.checkpoint.com \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=urs.thuermann@volkswagen.de \
--cc=w@1wt.eu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox