From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Willem de Bruijn <willemb@google.com>,
David Laight <David.Laight@aculab.com>,
"David S . Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.4 082/174] packet: in recvmsg msg_name return at least sizeof sockaddr_ll
Date: Thu, 16 Jan 2020 12:41:19 -0500 [thread overview]
Message-ID: <20200116174251.24326-82-sashal@kernel.org> (raw)
In-Reply-To: <20200116174251.24326-1-sashal@kernel.org>
From: Willem de Bruijn <willemb@google.com>
[ Upstream commit b2cf86e1563e33a14a1c69b3e508d15dc12f804c ]
Packet send checks that msg_name is at least sizeof sockaddr_ll.
Packet recv must return at least this length, so that its output
can be passed unmodified to packet send.
This ceased to be true since adding support for lladdr longer than
sll_addr. Since, the return value uses true address length.
Always return at least sizeof sockaddr_ll, even if address length
is shorter. Zero the padding bytes.
Change v1->v2: do not overwrite zeroed padding again. use copy_len.
Fixes: 0fb375fb9b93 ("[AF_PACKET]: Allow for > 8 byte hardware addresses.")
Suggested-by: David Laight <David.Laight@aculab.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/packet/af_packet.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 8b277658905f..9de7e3e6edd3 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -3309,20 +3309,29 @@ static int packet_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
sock_recv_ts_and_drops(msg, sk, skb);
if (msg->msg_name) {
+ int copy_len;
+
/* If the address length field is there to be filled
* in, we fill it in now.
*/
if (sock->type == SOCK_PACKET) {
__sockaddr_check_size(sizeof(struct sockaddr_pkt));
msg->msg_namelen = sizeof(struct sockaddr_pkt);
+ copy_len = msg->msg_namelen;
} else {
struct sockaddr_ll *sll = &PACKET_SKB_CB(skb)->sa.ll;
msg->msg_namelen = sll->sll_halen +
offsetof(struct sockaddr_ll, sll_addr);
+ copy_len = msg->msg_namelen;
+ if (msg->msg_namelen < sizeof(struct sockaddr_ll)) {
+ memset(msg->msg_name +
+ offsetof(struct sockaddr_ll, sll_addr),
+ 0, sizeof(sll->sll_addr));
+ msg->msg_namelen = sizeof(struct sockaddr_ll);
+ }
}
- memcpy(msg->msg_name, &PACKET_SKB_CB(skb)->sa,
- msg->msg_namelen);
+ memcpy(msg->msg_name, &PACKET_SKB_CB(skb)->sa, copy_len);
}
if (pkt_sk(sk)->auxdata) {
--
2.20.1
next prev parent reply other threads:[~2020-01-16 17:44 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20200116174251.24326-1-sashal@kernel.org>
2020-01-16 17:40 ` [PATCH AUTOSEL 4.4 058/174] net: sh_eth: fix a missing check of of_get_phy_mode Sasha Levin
2020-01-16 17:41 ` [PATCH AUTOSEL 4.4 069/174] dccp: Fix memleak in __feat_register_sp Sasha Levin
2020-01-16 17:41 ` [PATCH AUTOSEL 4.4 072/174] ehea: Fix a copy-paste err in ehea_init_port_res Sasha Levin
2020-01-16 17:41 ` [PATCH AUTOSEL 4.4 076/174] tipc: set sysctl_tipc_rmem and named_timeout right range Sasha Levin
2020-01-16 17:41 ` [PATCH AUTOSEL 4.4 079/174] 6lowpan: Off by one handling ->nexthdr Sasha Levin
2020-01-16 17:41 ` Sasha Levin [this message]
2020-01-16 17:41 ` [PATCH AUTOSEL 4.4 089/174] netfilter: ebtables: CONFIG_COMPAT: reject trailing data after last rule Sasha Levin
2020-01-16 17:41 ` [PATCH AUTOSEL 4.4 098/174] inet: frags: call inet_frags_fini() after unregister_pernet_subsys() Sasha Levin
2020-01-16 17:41 ` [PATCH AUTOSEL 4.4 102/174] net/af_iucv: always register net_device notifier Sasha Levin
2020-01-16 17:41 ` [PATCH AUTOSEL 4.4 109/174] net: pasemi: fix an use-after-free in pasemi_mac_phy_init() Sasha Levin
2020-01-16 17:41 ` [PATCH AUTOSEL 4.4 111/174] libertas_tf: Use correct channel range in lbtf_geo_init Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 125/174] mac80211: minstrel_ht: fix per-group max throughput rate initialization Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 133/174] ath9k: dynack: fix possible deadlock in ath_dynack_node_{de}init Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 134/174] net: sonic: return NETDEV_TX_OK if failed to map buffer Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 137/174] net: sonic: replace dev_kfree_skb in sonic_send_packet Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 138/174] net/rds: Fix 'ib_evt_handler_call' element in 'rds_ib_stat_names' Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 140/174] net: hisilicon: Fix signedness bug in hix5hd2_dev_probe() Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 141/174] net: broadcom/bcmsysport: Fix signedness in bcm_sysport_probe() Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 142/174] net: ethernet: stmmac: Fix signedness bug in ipq806x_gmac_of_parse() Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 143/174] mac80211: accept deauth frames in IBSS mode Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 144/174] llc: fix another potential sk_buff leak in llc_ui_sendmsg() Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 145/174] llc: fix sk_buff refcounting in llc_conn_state_process() Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 146/174] net: stmmac: fix length of PTP clock's name string Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 150/174] net: qca_spi: Move reset_count to struct qcaspi Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 151/174] mt7601u: fix bbp version check in mt7601u_wait_bbp_ready Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 155/174] cw1200: Fix a signedness bug in cw1200_load_firmware() Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 157/174] rtlwifi: Remove unnecessary NULL check in rtl_regd_init Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 162/174] net: neigh: use long type to store jiffies delta Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 164/174] packet: fix data-race in fanout_flow_is_huge() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200116174251.24326-82-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=David.Laight@aculab.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).