From patchwork Wed Jan  9 16:55:23 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Herton Ronaldo Krzesinski
 <herton.krzesinski@canonical.com>
X-Patchwork-Id: 210766
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from chlorine.canonical.com (chlorine.canonical.com
	[91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id C09DE2C0131
	for <incoming@patchwork.ozlabs.org>;
	Thu, 10 Jan 2013 03:55:34 +1100 (EST)
Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com)
	by chlorine.canonical.com with esmtp (Exim 4.71)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1Tsyw4-00011J-Sd; Wed, 09 Jan 2013 16:55:28 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by chlorine.canonical.com with esmtp (Exim 4.71)
	(envelope-from <herton.krzesinski@canonical.com>) id 1Tsyw2-00010x-S6
	for kernel-team@lists.ubuntu.com; Wed, 09 Jan 2013 16:55:26 +0000
Received: from 189.58.23.196.dynamic.adsl.gvt.net.br ([189.58.23.196]
	helo=canonical.com) by youngberry.canonical.com with esmtpsa
	(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71)
	(envelope-from <herton.krzesinski@canonical.com>)
	id 1Tsyw2-0007sW-6O; Wed, 09 Jan 2013 16:55:26 +0000
From: Herton Ronaldo Krzesinski <herton.krzesinski@canonical.com>
To: Neal Cardwell <ncardwell@google.com>
Subject: [ 3.5.y.z extended stable ] Patch "inet_diag: avoid unsafe and
	nonsensical prefix matches in" has been added to staging queue
Date: Wed,  9 Jan 2013 14:55:23 -0200
Message-Id: 
 <1357750523-24920-1-git-send-email-herton.krzesinski@canonical.com>
X-Mailer: git-send-email 1.7.9.5
X-Extended-Stable: 3.5
Cc: kernel-team@lists.ubuntu.com, "David S. Miller" <davem@davemloft.net>
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Sender: kernel-team-bounces@lists.ubuntu.com
Errors-To: kernel-team-bounces@lists.ubuntu.com

This is a note to let you know that I have just added a patch titled

    inet_diag: avoid unsafe and nonsensical prefix matches in

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.5.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Herton

------

From a6ba26ed1b821a3d5f601a95c05de425bfd4db49 Mon Sep 17 00:00:00 2001
From: Neal Cardwell <ncardwell@google.com>
Date: Sat, 8 Dec 2012 19:43:23 +0000
Subject: [PATCH] inet_diag: avoid unsafe and nonsensical prefix matches in
 inet_diag_bc_run()

commit f67caec9068cee426ec23cf9005a1dee2ecad187 upstream.

Add logic to check the address family of the user-supplied conditional
and the address family of the connection entry. We now do not do
prefix matching of addresses from different address families (AF_INET
vs AF_INET6), except for the previously existing support for having an
IPv4 prefix match an IPv4-mapped IPv6 address (which this commit
maintains as-is).

This change is needed for two reasons:

(1) The addresses are different lengths, so comparing a 128-bit IPv6
prefix match condition to a 32-bit IPv4 connection address can cause
us to unwittingly walk off the end of the IPv4 address and read
garbage or oops.

(2) The IPv4 and IPv6 address spaces are semantically distinct, so a
simple bit-wise comparison of the prefixes is not meaningful, and
would lead to bogus results (except for the IPv4-mapped IPv6 case,
which this commit maintains).

Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Herton Ronaldo Krzesinski <herton.krzesinski@canonical.com>
---
 net/ipv4/inet_diag.c |   28 +++++++++++++++++-----------
 1 file changed, 17 insertions(+), 11 deletions(-)

--
1.7.9.5

diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
index efeca3b..5d57af1 100644
--- a/net/ipv4/inet_diag.c
+++ b/net/ipv4/inet_diag.c
@@ -423,25 +423,31 @@ static int inet_diag_bc_run(const struct nlattr *_bc,
 				break;
 			}

-			if (cond->prefix_len == 0)
-				break;
-
 			if (op->code == INET_DIAG_BC_S_COND)
 				addr = entry->saddr;
 			else
 				addr = entry->daddr;

+			if (cond->family != AF_UNSPEC &&
+			    cond->family != entry->family) {
+				if (entry->family == AF_INET6 &&
+				    cond->family == AF_INET) {
+					if (addr[0] == 0 && addr[1] == 0 &&
+					    addr[2] == htonl(0xffff) &&
+					    bitstring_match(addr + 3,
+							    cond->addr,
+							    cond->prefix_len))
+						break;
+				}
+				yes = 0;
+				break;
+			}
+
+			if (cond->prefix_len == 0)
+				break;
 			if (bitstring_match(addr, cond->addr,
 					    cond->prefix_len))
 				break;
-			if (entry->family == AF_INET6 &&
-			    cond->family == AF_INET) {
-				if (addr[0] == 0 && addr[1] == 0 &&
-				    addr[2] == htonl(0xffff) &&
-				    bitstring_match(addr + 3, cond->addr,
-						    cond->prefix_len))
-					break;
-			}
 			yes = 0;
 			break;
 		}