[PATCH v2] net/sctp: Validate parameter size for SCTP_GET_ASSOC

public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH v2] net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS
@ 2013-02-27 20:57 Guenter Roeck
  2013-02-27 21:00 ` Vlad Yasevich
  0 siblings, 1 reply; 3+ messages in thread
From: Guenter Roeck @ 2013-02-27 20:57 UTC (permalink / raw)
  To: netdev
  Cc: linux-sctp, Vlad Yasevich, Sridhar Samudrala, Neil Horman,
	David S. Miller, Guenter Roeck

Building sctp may fail with:

In function ‘copy_from_user’,
    inlined from ‘sctp_getsockopt_assoc_stats’ at
    net/sctp/socket.c:5656:20:
arch/x86/include/asm/uaccess_32.h:211:26: error: call to
    ‘copy_from_user_overflow’ declared with attribute error: copy_from_user()
    buffer size is not provably correct

if built with W=1 due to a missing parameter size validation
before the call to copy_from_user.

Signed-off-by: Guenter Roeck <linux@roeck-us.net>
---
v2: Fix by moving the existing parameter size validation up
    in the function instead of adding an additional one.

 net/sctp/socket.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index cedd9bf..9ef5c73 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -5653,6 +5653,9 @@ static int sctp_getsockopt_assoc_stats(struct sock *sk, int len,
 	if (len < sizeof(sctp_assoc_t))
 		return -EINVAL;
 
+	/* Allow the struct to grow and fill in as much as possible */
+	len = min_t(size_t, len, sizeof(sas));
+
 	if (copy_from_user(&sas, optval, len))
 		return -EFAULT;
 
@@ -5686,9 +5689,6 @@ static int sctp_getsockopt_assoc_stats(struct sock *sk, int len,
 	/* Mark beginning of a new observation period */
 	asoc->stats.max_obs_rto = asoc->rto_min;
 
-	/* Allow the struct to grow and fill in as much as possible */
-	len = min_t(size_t, len, sizeof(sas));
-
 	if (put_user(len, optlen))
 		return -EFAULT;
 
-- 
1.7.9.7

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH v2] net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS
  2013-02-27 20:57 [PATCH v2] net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS Guenter Roeck
@ 2013-02-27 21:00 ` Vlad Yasevich
  2013-02-27 21:08   ` David Miller
  0 siblings, 1 reply; 3+ messages in thread
From: Vlad Yasevich @ 2013-02-27 21:00 UTC (permalink / raw)
  To: Guenter Roeck
  Cc: netdev, linux-sctp, Sridhar Samudrala, Neil Horman,
	David S. Miller

On 02/27/2013 03:57 PM, Guenter Roeck wrote:
> Building sctp may fail with:
>
> In function ‘copy_from_user’,
>      inlined from ‘sctp_getsockopt_assoc_stats’ at
>      net/sctp/socket.c:5656:20:
> arch/x86/include/asm/uaccess_32.h:211:26: error: call to
>      ‘copy_from_user_overflow’ declared with attribute error: copy_from_user()
>      buffer size is not provably correct
>
> if built with W=1 due to a missing parameter size validation
> before the call to copy_from_user.
>
> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
> ---
> v2: Fix by moving the existing parameter size validation up
>      in the function instead of adding an additional one.

This works too...

Acked-by: Vlad Yasevich <vyasevich@gmail.com>

>
>   net/sctp/socket.c |    6 +++---
>   1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/net/sctp/socket.c b/net/sctp/socket.c
> index cedd9bf..9ef5c73 100644
> --- a/net/sctp/socket.c
> +++ b/net/sctp/socket.c
> @@ -5653,6 +5653,9 @@ static int sctp_getsockopt_assoc_stats(struct sock *sk, int len,
>   	if (len < sizeof(sctp_assoc_t))
>   		return -EINVAL;
>
> +	/* Allow the struct to grow and fill in as much as possible */
> +	len = min_t(size_t, len, sizeof(sas));
> +
>   	if (copy_from_user(&sas, optval, len))
>   		return -EFAULT;
>
> @@ -5686,9 +5689,6 @@ static int sctp_getsockopt_assoc_stats(struct sock *sk, int len,
>   	/* Mark beginning of a new observation period */
>   	asoc->stats.max_obs_rto = asoc->rto_min;
>
> -	/* Allow the struct to grow and fill in as much as possible */
> -	len = min_t(size_t, len, sizeof(sas));
> -
>   	if (put_user(len, optlen))
>   		return -EFAULT;
>
>

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH v2] net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS
  2013-02-27 21:00 ` Vlad Yasevich
@ 2013-02-27 21:08   ` David Miller
  0 siblings, 0 replies; 3+ messages in thread
From: David Miller @ 2013-02-27 21:08 UTC (permalink / raw)
  To: vyasevich; +Cc: linux, netdev, linux-sctp, sri, nhorman

From: Vlad Yasevich <vyasevich@gmail.com>
Date: Wed, 27 Feb 2013 16:00:42 -0500

> On 02/27/2013 03:57 PM, Guenter Roeck wrote:
>> Building sctp may fail with:
>>
>> In function ‘copy_from_user’,
>>      inlined from ‘sctp_getsockopt_assoc_stats’ at
>>      net/sctp/socket.c:5656:20:
>> arch/x86/include/asm/uaccess_32.h:211:26: error: call to
>>      ‘copy_from_user_overflow’ declared with attribute error:
>>      copy_from_user()
>>      buffer size is not provably correct
>>
>> if built with W=1 due to a missing parameter size validation
>> before the call to copy_from_user.
>>
>> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
>> ---
>> v2: Fix by moving the existing parameter size validation up
>>      in the function instead of adding an additional one.
> 
> This works too...
> 
> Acked-by: Vlad Yasevich <vyasevich@gmail.com>

I'll apply this and queue it up for -stable, thanks everyone.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2013-02-27 21:08 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-02-27 20:57 [PATCH v2] net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS Guenter Roeck
2013-02-27 21:00 ` Vlad Yasevich
2013-02-27 21:08   ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox