From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, David Laight <David.Laight@aculab.com>,
Willem de Bruijn <willemb@google.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 5.0 15/32] packet: in recvmsg msg_name return at least sizeof sockaddr_ll
Date: Sat, 4 May 2019 12:25:00 +0200 [thread overview]
Message-ID: <20190504102452.993434188@linuxfoundation.org> (raw)
In-Reply-To: <20190504102452.523724210@linuxfoundation.org>
From: Willem de Bruijn <willemb@google.com>
[ Upstream commit b2cf86e1563e33a14a1c69b3e508d15dc12f804c ]
Packet send checks that msg_name is at least sizeof sockaddr_ll.
Packet recv must return at least this length, so that its output
can be passed unmodified to packet send.
This ceased to be true since adding support for lladdr longer than
sll_addr. Since, the return value uses true address length.
Always return at least sizeof sockaddr_ll, even if address length
is shorter. Zero the padding bytes.
Change v1->v2: do not overwrite zeroed padding again. use copy_len.
Fixes: 0fb375fb9b93 ("[AF_PACKET]: Allow for > 8 byte hardware addresses.")
Suggested-by: David Laight <David.Laight@aculab.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/packet/af_packet.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -3349,20 +3349,29 @@ static int packet_recvmsg(struct socket
sock_recv_ts_and_drops(msg, sk, skb);
if (msg->msg_name) {
+ int copy_len;
+
/* If the address length field is there to be filled
* in, we fill it in now.
*/
if (sock->type == SOCK_PACKET) {
__sockaddr_check_size(sizeof(struct sockaddr_pkt));
msg->msg_namelen = sizeof(struct sockaddr_pkt);
+ copy_len = msg->msg_namelen;
} else {
struct sockaddr_ll *sll = &PACKET_SKB_CB(skb)->sa.ll;
msg->msg_namelen = sll->sll_halen +
offsetof(struct sockaddr_ll, sll_addr);
+ copy_len = msg->msg_namelen;
+ if (msg->msg_namelen < sizeof(struct sockaddr_ll)) {
+ memset(msg->msg_name +
+ offsetof(struct sockaddr_ll, sll_addr),
+ 0, sizeof(sll->sll_addr));
+ msg->msg_namelen = sizeof(struct sockaddr_ll);
+ }
}
- memcpy(msg->msg_name, &PACKET_SKB_CB(skb)->sa,
- msg->msg_namelen);
+ memcpy(msg->msg_name, &PACKET_SKB_CB(skb)->sa, copy_len);
}
if (pkt_sk(sk)->auxdata) {
next prev parent reply other threads:[~2019-05-04 10:30 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-04 10:24 [PATCH 5.0 00/32] 5.0.13-stable review Greg Kroah-Hartman
2019-05-04 10:24 ` [PATCH 5.0 01/32] ipv4: ip_do_fragment: Preserve skb_iif during fragmentation Greg Kroah-Hartman
2019-05-04 10:24 ` [PATCH 5.0 02/32] ipv6: A few fixes on dereferencing rt->from Greg Kroah-Hartman
2019-05-04 10:24 ` [PATCH 5.0 03/32] ipv6: fix races in ip6_dst_destroy() Greg Kroah-Hartman
2019-05-04 10:24 ` [PATCH 5.0 04/32] ipv6/flowlabel: wait rcu grace period before put_pid() Greg Kroah-Hartman
2019-05-04 10:24 ` [PATCH 5.0 05/32] ipv6: invert flowlabel sharing check in process and user mode Greg Kroah-Hartman
2019-05-04 10:24 ` [PATCH 5.0 06/32] l2ip: fix possible use-after-free Greg Kroah-Hartman
2019-05-04 10:24 ` [PATCH 5.0 07/32] l2tp: use rcu_dereference_sk_user_data() in l2tp_udp_encap_recv() Greg Kroah-Hartman
2019-05-04 10:24 ` [PATCH 5.0 08/32] net: dsa: bcm_sf2: fix buffer overflow doing set_rxnfc Greg Kroah-Hartman
2019-05-04 10:24 ` [PATCH 5.0 09/32] net: phy: marvell: Fix buffer overrun with stats counters Greg Kroah-Hartman
2019-05-04 10:24 ` [PATCH 5.0 10/32] net/tls: avoid NULL pointer deref on nskb->sk in fallback Greg Kroah-Hartman
2019-05-04 10:24 ` [PATCH 5.0 11/32] rxrpc: Fix net namespace cleanup Greg Kroah-Hartman
2019-05-04 10:24 ` [PATCH 5.0 12/32] sctp: avoid running the sctp state machine recursively Greg Kroah-Hartman
2019-05-04 10:24 ` [PATCH 5.0 13/32] selftests: fib_rule_tests: print the result and return 1 if any tests failed Greg Kroah-Hartman
2019-05-04 10:24 ` [PATCH 5.0 14/32] packet: validate msg_namelen in send directly Greg Kroah-Hartman
2019-05-04 10:25 ` Greg Kroah-Hartman [this message]
2019-05-04 10:25 ` [PATCH 5.0 16/32] selftests: fib_rule_tests: Fix icmp proto with ipv6 Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 5.0 17/32] tcp: add sanity tests in tcp_add_backlog() Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 5.0 18/32] udp: fix GRO reception in case of length mismatch Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 5.0 19/32] udp: fix GRO packet of death Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 5.0 20/32] bnxt_en: Improve multicast address setup logic Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 5.0 21/32] bnxt_en: Free short FW command HWRM memory in error path in bnxt_init_one() Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 5.0 22/32] bnxt_en: Fix possible crash in bnxt_hwrm_ring_free() under error conditions Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 5.0 23/32] bnxt_en: Pass correct extended TX port statistics size to firmware Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 5.0 24/32] bnxt_en: Fix statistics context reservation logic Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 5.0 25/32] bnxt_en: Fix uninitialized variable usage in bnxt_rx_pkt() Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 5.0 26/32] net/tls: dont copy negative amounts of data in reencrypt Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 5.0 27/32] net/tls: fix copy to fragments " Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 5.0 28/32] KVM: x86: Whitelist port 0x7e for pre-incrementing %rip Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 5.0 29/32] KVM: nVMX: Fix size checks in vmx_set_nested_state Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 5.0 30/32] ALSA: line6: use dynamic buffers Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 5.0 31/32] iwlwifi: mvm: properly check debugfs dentry before using it Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 5.0 32/32] ath10k: Drop WARN_ON()s that always trigger during system resume Greg Kroah-Hartman
2019-05-04 18:26 ` [PATCH 5.0 00/32] 5.0.13-stable review kernelci.org bot
2019-05-04 23:53 ` Guenter Roeck
2019-05-05 7:11 ` Greg Kroah-Hartman
2019-05-05 3:05 ` Dan Rue
2019-05-05 3:31 ` Guenter Roeck
2019-05-05 12:17 ` Dan Rue
2019-05-05 12:41 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190504102452.993434188@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=David.Laight@aculab.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox