| Message ID | 1450133128-18845-1-git-send-email-hannes@stressinduktion.org |
|---|---|
| State | Not Applicable, archived |
| Delegated to: | David Miller |
| Headers | show |
On Mon, Dec 14, 2015 at 2:45 PM, Hannes Frederic Sowa <hannes@stressinduktion.org> wrote: > diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c > index fc69e41d09506e..f9ffdf070ad807 100644 > --- a/drivers/net/ppp/pptp.c > +++ b/drivers/net/ppp/pptp.c > @@ -419,6 +419,9 @@ static int pptp_bind(struct socket *sock, struct sockaddr *uservaddr, > struct pptp_opt *opt = &po->proto.pptp; > int error = 0; > > + if (sockaddr_len < sizeof(*sp)) > + return -EINVAL; > + I sent a very similar patch: https://patchwork.ozlabs.org/patch/556663/ -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 14.12.2015 23:58, Cong Wang wrote: > On Mon, Dec 14, 2015 at 2:45 PM, Hannes Frederic Sowa > <hannes@stressinduktion.org> wrote: >> diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c >> index fc69e41d09506e..f9ffdf070ad807 100644 >> --- a/drivers/net/ppp/pptp.c >> +++ b/drivers/net/ppp/pptp.c >> @@ -419,6 +419,9 @@ static int pptp_bind(struct socket *sock, struct sockaddr *uservaddr, >> struct pptp_opt *opt = &po->proto.pptp; >> int error = 0; >> >> + if (sockaddr_len < sizeof(*sp)) >> + return -EINVAL; >> + > > I sent a very similar patch: > https://patchwork.ozlabs.org/patch/556663/ Ah, thanks. Did not notice. The connect() part is also already in my queue, but I don't think it solves the use-after-free. The RCU implementation of callid_sock seems broken to me. David, discard my patch. Thanks, Hannes -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c index fc69e41d09506e..f9ffdf070ad807 100644 --- a/drivers/net/ppp/pptp.c +++ b/drivers/net/ppp/pptp.c @@ -419,6 +419,9 @@ static int pptp_bind(struct socket *sock, struct sockaddr *uservaddr, struct pptp_opt *opt = &po->proto.pptp; int error = 0; + if (sockaddr_len < sizeof(*sp)) + return -EINVAL; + lock_sock(sk); opt->src_addr = sp->sa_addr.pptp;
Reported-by: Dmitry Vyukov <dvyukov@gmail.com> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> --- drivers/net/ppp/pptp.c | 3 +++ 1 file changed, 3 insertions(+)