From patchwork Thu Dec 22 23:19:16 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
X-Patchwork-Id: 708353
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3tl6t46JLxz9sfH
	for <patchwork-incoming@ozlabs.org>;
	Fri, 23 Dec 2016 10:19:24 +1100 (AEDT)
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="PsgNF7yF"; dkim-atps=neutral
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S941896AbcLVXTV (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Thu, 22 Dec 2016 18:19:21 -0500
Received: from mail-qk0-f193.google.com ([209.85.220.193]:34746 "EHLO
	mail-qk0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S941233AbcLVXTU (ORCPT
	<rfc822;netdev@vger.kernel.org>); Thu, 22 Dec 2016 18:19:20 -0500
Received: by mail-qk0-f193.google.com with SMTP id t184so15130474qkd.1
	for <netdev@vger.kernel.org>; Thu, 22 Dec 2016 15:19:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id;
	bh=PAc4Az8g8qMZ0v2zV7vQEeYjg6v5D6mljqeR142GWto=;
	b=PsgNF7yFrlFyVk7JYsTVA4fn6cx0+U0quBmOlORnAQ5UzeR2D+UMtHiQsTdo9vzg7C
	a952I8j0BtScRGJfq9h4RJmOV1LoyVIpncuHWDx+1OMN2qQPmwQ7rcaUUxecIlkXs8UO
	dCZbE9NQG+LB3qN17HfpjV7YPtA17Spv6Z/Td1lhInDrEX6pUAWezSPrQDovJc4Sf3MI
	cEAd+WRnll7EcQvcZSxjIW9tqJda9FxBrFvLU2U6qQ7eO58Tfu93GEz0IpEg/vyIPBIL
	O4HhBSlTsHq7Lw07RRnSL8pCU0RdJwnUgXJITbEG5lvAspNnZl+eRyva325VsAU3iKPp
	T10w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=PAc4Az8g8qMZ0v2zV7vQEeYjg6v5D6mljqeR142GWto=;
	b=uR58hhvIMhFxsQ1hH40Ky/rbsYE9q0NDzjFkALkEUkEhPk8vnaidisrOrTn8/h/LEh
	DJjlcNzi24T64+gyvkCblISUuGztLRpDyosuDUsTErTiqgjiAQG+5mtMkkfjrql29vDy
	eItCES4Yhgx5m+vqVq/8PUIuS3Ov+F+35GjTUgdXbmX6UoELlwKDnqwCg4nusHCRGYQa
	bWK5JvsNfNP/+wr7iqPDSQ1z7D4Ev1+xxbKq+7qpTBzJYHJUMB8Guh+A8Yn/bGZcNvVe
	uUToYOZCmXWU3BtpKIBEr8mOUuKCUFYYtFdVVBCFl8uK/es5AqnswhI0vqWLYvUknwAC
	sXlA==
X-Gm-Message-State: 
 AIkVDXLsJat67/owJhw+0/EwHcAa+rDLNoIAfKyRtZFNQ8CqtMWVePJrW9nU/DokTUlyTg==
X-Received: by 10.55.129.4 with SMTP id c4mr12381902qkd.14.1482448758878;
	Thu, 22 Dec 2016 15:19:18 -0800 (PST)
Received: from willemb1.nyc.corp.google.com ([100.101.230.128])
	by smtp.gmail.com with ESMTPSA id
	y44sm18891203qtc.45.2016.12.22.15.19.18
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Thu, 22 Dec 2016 15:19:18 -0800 (PST)
From: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
To: netdev@vger.kernel.org
Cc: davem@davemloft.net, njagabar@cloudmark.com,
	samanthakumar@google.com, Willem de Bruijn <willemb@google.com>
Subject: [PATCH net] inet: fix IP(V6)_RECVORIGDSTADDR for udp sockets
Date: Thu, 22 Dec 2016 18:19:16 -0500
Message-Id: 
 <1482448756-83129-1-git-send-email-willemdebruijn.kernel@gmail.com>
X-Mailer: git-send-email 2.8.0.rc3.226.g39d4020
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

From: Willem de Bruijn <willemb@google.com>

Socket cmsg IP(V6)_RECVORIGDSTADDR checks that port range lies within
the packet. For sockets that have transport headers pulled, transport
offset can be negative. Use signed comparison to avoid overflow.

Fixes: e6afc8ace6dd ("udp: remove headers from UDP packets before queueing")
Reported-by: Nisar Jagabar <njagabar@cloudmark.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
---
 net/ipv4/ip_sockglue.c | 2 +-
 net/ipv6/datagram.c    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 8b13881..9760734 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -148,7 +148,7 @@ static void ip_cmsg_recv_dstaddr(struct msghdr *msg, struct sk_buff *skb)
 	const struct iphdr *iph = ip_hdr(skb);
 	__be16 *ports = (__be16 *)skb_transport_header(skb);
 
-	if (skb_transport_offset(skb) + 4 > skb->len)
+	if (skb_transport_offset(skb) + 4 > (int)skb->len)
 		return;
 
 	/* All current transport protocols have the port numbers in the
diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
index 0489e19..1407426 100644
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -701,7 +701,7 @@ void ip6_datagram_recv_specific_ctl(struct sock *sk, struct msghdr *msg,
 		struct sockaddr_in6 sin6;
 		__be16 *ports = (__be16 *) skb_transport_header(skb);
 
-		if (skb_transport_offset(skb) + 4 <= skb->len) {
+		if (skb_transport_offset(skb) + 4 <= (int)skb->len) {
 			/* All current transport protocols have the port numbers in the
 			 * first four bytes of the transport header and this function is
 			 * written with this assumption in mind.