From: Sasha Levin <levinsasha928@gmail.com>
To: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: dbaryshkov@gmail.com, slapin@ossfans.org, davem@davemloft.net,
linux-zigbee-devel@lists.sourceforge.net, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] ieee802154: verify packet size before trying to allocate it
Date: Sun, 10 Jun 2012 14:16:40 +0200 [thread overview]
Message-ID: <1339330600.4999.7.camel@lappy> (raw)
In-Reply-To: <20120610122435.7d5c8fa7@pyramind.ukuu.org.uk>
Hi Alan,
On Sun, 2012-06-10 at 12:24 +0100, Alan Cox wrote:
> On Sun, 10 Jun 2012 13:10:19 +0200
> Sasha Levin <levinsasha928@gmail.com> wrote:
> > + if (hlen + tlen + size > IEEE802154_MTU) {
> > + err = -EMSGSIZE;
> > + goto out;
>
> What stops an overflow at this point. We'll then pass a small value to
> sock_alloc_send_skb/sock_alloc_send_pskb and copy a large number of bytes
> into it.
>
> This does seem to be already broken, and not fixed by the patch ?
>
> Alan
Hm, nothing.
I've added this check to prevent users from being able to allocate huge kernel buffers, and haven't though about the overflow case at all. Thanks for pointing it out.
How about something like this instead:
-----8<-----
From: Sasha Levin <levinsasha928@gmail.com>
Date: Sun, 10 Jun 2012 13:08:03 +0200
Subject: [PATCH] ieee802154: verify packet size before trying to allocate it
Currently when sending data over datagram, the send function will attempt to
allocate any size passed on from the userspace.
We should make sure that this size is checked and limited. The maximum size
of an IP packet seemed like the safest limit here.
Signed-off-by: Sasha Levin <levinsasha928@gmail.com>
---
net/ieee802154/dgram.c | 12 ++++++------
1 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/net/ieee802154/dgram.c b/net/ieee802154/dgram.c
index 6fbb2ad..b098b9c 100644
--- a/net/ieee802154/dgram.c
+++ b/net/ieee802154/dgram.c
@@ -230,6 +230,12 @@ static int dgram_sendmsg(struct kiocb *iocb, struct sock *sk,
mtu = dev->mtu;
pr_debug("name = %s, mtu = %u\n", dev->name, mtu);
+ if (size > mtu) {
+ pr_debug("size = %Zu, mtu = %u\n", size, mtu);
+ err = -EINVAL;
+ goto out_skb;
+ }
+
hlen = LL_RESERVED_SPACE(dev);
tlen = dev->needed_tailroom;
skb = sock_alloc_send_skb(sk, hlen + tlen + size,
@@ -258,12 +264,6 @@ static int dgram_sendmsg(struct kiocb *iocb, struct sock *sk,
if (err < 0)
goto out_skb;
- if (size > mtu) {
- pr_debug("size = %Zu, mtu = %u\n", size, mtu);
- err = -EINVAL;
- goto out_skb;
- }
-
skb->dev = dev;
skb->sk = sk;
skb->protocol = htons(ETH_P_IEEE802154);
next prev parent reply other threads:[~2012-06-10 12:16 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-06-10 11:10 [PATCH] ieee802154: verify packet size before trying to allocate it Sasha Levin
2012-06-10 11:24 ` Alan Cox
2012-06-10 12:16 ` Sasha Levin [this message]
2012-06-10 12:55 ` Jan Ceuleers
2012-06-11 3:04 ` David Miller
2012-06-11 8:18 ` Sasha Levin
-- strict thread matches above, loose matches on Subject: below --
2012-06-06 21:32 Sasha Levin
2012-06-07 20:10 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1339330600.4999.7.camel@lappy \
--to=levinsasha928@gmail.com \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=davem@davemloft.net \
--cc=dbaryshkov@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-zigbee-devel@lists.sourceforge.net \
--cc=netdev@vger.kernel.org \
--cc=slapin@ossfans.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).