Message ID | 20230203105755.221545-2-stefan.bader@canonical.com |
---|---|
State | New |
Headers | show |
Series | Fix regression introduced by CVE-2023-0461 fix | expand |
On Fri, Feb 3, 2023 at 10:58 AM Stefan Bader <stefan.bader@canonical.com> wrote: > > When adding "net/ulp: prevent ULP without clone op from entering the > LISTEN status" code which changed the error code variable was added. > However, without a different v6.2 change which lets ->get_port() return > a proper errno, we rely on the pre-set value or the error variable. > Adding this right before the call to make it clear where it is needed. > > CVE-2023-0461 > Signed-off-by: Stefan Bader <stefan.bader@canonical.com> > --- > net/ipv4/inet_connection_sock.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c > index eb04214bd648..99ee5c973140 100644 > --- a/net/ipv4/inet_connection_sock.c > +++ b/net/ipv4/inet_connection_sock.c > @@ -1050,7 +1050,7 @@ int inet_csk_listen_start(struct sock *sk, int backlog) > { > struct inet_connection_sock *icsk = inet_csk(sk); > struct inet_sock *inet = inet_sk(sk); > - int err = -EADDRINUSE; > + int err; > > err = inet_ulp_can_listen(sk); > if (unlikely(err)) > @@ -1067,6 +1067,8 @@ int inet_csk_listen_start(struct sock *sk, int backlog) > * after validation is complete. > */ > inet_sk_state_store(sk, TCP_LISTEN); > + /* get_port does not return an error code, yet */ > + err = -EADDRINUSE; > if (!sk->sk_prot->get_port(sk, inet->inet_num)) { > inet->inet_sport = htons(inet->inet_num); > > -- > 2.34.1 Acked-by: Andy Whitcroft <apw@canonical.com> -apw
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c index eb04214bd648..99ee5c973140 100644 --- a/net/ipv4/inet_connection_sock.c +++ b/net/ipv4/inet_connection_sock.c @@ -1050,7 +1050,7 @@ int inet_csk_listen_start(struct sock *sk, int backlog) { struct inet_connection_sock *icsk = inet_csk(sk); struct inet_sock *inet = inet_sk(sk); - int err = -EADDRINUSE; + int err; err = inet_ulp_can_listen(sk); if (unlikely(err)) @@ -1067,6 +1067,8 @@ int inet_csk_listen_start(struct sock *sk, int backlog) * after validation is complete. */ inet_sk_state_store(sk, TCP_LISTEN); + /* get_port does not return an error code, yet */ + err = -EADDRINUSE; if (!sk->sk_prot->get_port(sk, inet->inet_num)) { inet->inet_sport = htons(inet->inet_num);
When adding "net/ulp: prevent ULP without clone op from entering the LISTEN status" code which changed the error code variable was added. However, without a different v6.2 change which lets ->get_port() return a proper errno, we rely on the pre-set value or the error variable. Adding this right before the call to make it clear where it is needed. CVE-2023-0461 Signed-off-by: Stefan Bader <stefan.bader@canonical.com> --- net/ipv4/inet_connection_sock.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)