From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
To: Xin Long <lucien.xin@gmail.com>
Cc: network dev <netdev@vger.kernel.org>,
linux-sctp@vger.kernel.org, Neil Horman <nhorman@tuxdriver.com>,
davem@davemloft.net
Subject: Re: [PATCHv2 net-next 1/5] sctp: only copy the available addr data in sctp_transport_init
Date: Tue, 30 Jul 2019 16:24:11 -0300 [thread overview]
Message-ID: <20190730192411.GR6204@localhost.localdomain> (raw)
In-Reply-To: <bb6e9856c2db0f24b91fb326fbe3c9c013f2459b.1564490276.git.lucien.xin@gmail.com>
On Tue, Jul 30, 2019 at 08:38:19PM +0800, Xin Long wrote:
> 'addr' passed to sctp_transport_init is not always a whole size
> of union sctp_addr, like the path:
>
> sctp_sendmsg() ->
> sctp_sendmsg_new_asoc() ->
> sctp_assoc_add_peer() ->
> sctp_transport_new() -> sctp_transport_init()
>
> In the next patches, we will also pass the address length of data
> only to sctp_assoc_add_peer().
>
> So sctp_transport_init() should copy the only available data from
> addr to peer->ipaddr, instead of 'peer->ipaddr = *addr' which may
> cause slab-out-of-bounds.
>
> Signed-off-by: Xin Long <lucien.xin@gmail.com>
> ---
> net/sctp/transport.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/sctp/transport.c b/net/sctp/transport.c
> index e2f8e36..7235a60 100644
> --- a/net/sctp/transport.c
> +++ b/net/sctp/transport.c
> @@ -43,8 +43,8 @@ static struct sctp_transport *sctp_transport_init(struct net *net,
> gfp_t gfp)
> {
> /* Copy in the address. */
> - peer->ipaddr = *addr;
> peer->af_specific = sctp_get_af_specific(addr->sa.sa_family);
> + memcpy(&peer->ipaddr, addr, peer->af_specific->sockaddr_len);
Just for the record, transports are allocated with kzalloc() and this
shouldn't result in any remaining bytes of this buffer to be
uninitialized.
That said, unrelated to the patch, memset below and other =0's are not
necessary.
> memset(&peer->saddr, 0, sizeof(union sctp_addr));
>
> peer->sack_generation = 0;
> --
> 2.1.0
>
next prev parent reply other threads:[~2019-07-30 19:24 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-30 12:38 [PATCHv2 net-next 0/5] sctp: clean up __sctp_connect function Xin Long
2019-07-30 12:38 ` [PATCHv2 net-next 1/5] sctp: only copy the available addr data in sctp_transport_init Xin Long
2019-07-30 12:38 ` [PATCHv2 net-next 2/5] sctp: check addr_size with sa_family_t size in __sctp_setsockopt_connectx Xin Long
2019-07-30 12:38 ` [PATCHv2 net-next 3/5] sctp: clean up __sctp_connect Xin Long
2019-07-30 12:38 ` [PATCHv2 net-next 4/5] sctp: factor out sctp_connect_new_asoc Xin Long
2019-07-30 12:38 ` [PATCHv2 net-next 5/5] sctp: factor out sctp_connect_add_peer Xin Long
2019-07-30 19:24 ` Marcelo Ricardo Leitner [this message]
2019-07-30 19:42 ` [PATCHv2 net-next 0/5] sctp: clean up __sctp_connect function Marcelo Ricardo Leitner
2019-07-30 21:18 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190730192411.GR6204@localhost.localdomain \
--to=marcelo.leitner@gmail.com \
--cc=davem@davemloft.net \
--cc=linux-sctp@vger.kernel.org \
--cc=lucien.xin@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).