From patchwork Fri Apr 26 19:27:35 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Willem de Bruijn X-Patchwork-Id: 1091764 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="TAIZ/6zw"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 44rPG73FjGz9s6w for ; Sat, 27 Apr 2019 05:27:43 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726632AbfDZT1l (ORCPT ); Fri, 26 Apr 2019 15:27:41 -0400 Received: from mail-qt1-f196.google.com ([209.85.160.196]:43098 "EHLO mail-qt1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726310AbfDZT1l (ORCPT ); Fri, 26 Apr 2019 15:27:41 -0400 Received: by mail-qt1-f196.google.com with SMTP id g4so5365846qtq.10 for ; Fri, 26 Apr 2019 12:27:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=v7860Fv7+QkFJOqB/E3umgT4jgODlLpgrdzJLGQIc4U=; b=TAIZ/6zwYXzYii7TS/i30nkONG1dr1sATlDA409u0VRif4fpz2lhxrw+8wZchQI+y2 5ggpd4SQ9TCdLi5fWjTdbKLg2jNA6VC+0otmzh2/C0dKwGQlv6CPtsZxK/uMZsu+YvHo Iluod76NPKXdWqRp4vaH/L/rp88hjNbwDu029ro0nPl/NqTrUl9K4hSu/UetxpE1cxsc jrrAiSoQXqHLXQOTl4Ie3ef+V4wgpJGqlWGRHSib4+kNZp7Z61HNfHspvQkmRSvdt3Xz wqXJuzzOTyFz72Q5WJbzqC4NkhfoVVJtjDNoV8HcptQapQXcOQi0LcUUJ/cQAsihxLdn NO+w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=v7860Fv7+QkFJOqB/E3umgT4jgODlLpgrdzJLGQIc4U=; b=CbOTRbFjcDseHo7PrrCGOB1pMjK04WNZOuPD3/BGP7ZlaxbN5cOt086vipBaVQxhdf WuVxnRr1mO0TmlnrdebjtF6TWZ0lMlMreDplPXbq8Y91egEbk8PDoi9+5sIl8AnioKyK fsmSzeyTldAHmA8oLKYr/LMZI8Bb0hVs1oHJJ7Lf6OtlcZMEHrBgENnDy12yTMmNRJbp WElC5wvUCos8LofOOs+cGhzJLz/1QieoWqTcvS644hEzWKTrM3gpXdXY898uAJmudRyx oH6jZKs56PBIh91xY8UM8HsR/l/ox3ijPyD06dkKjcnpcTqKEDXBJ2GfPtVKnk/Bo+aM ouSQ== X-Gm-Message-State: APjAAAWgmZqW8Jgh7I/cUf07Di8FmjwdZKRjOgB0qoryaayPxOtVDDSm DWUWtODXS5VcmffC02FFXlV3eqUP X-Google-Smtp-Source: APXvYqxv6zqFYTdxvhHD75510omfgcDzWuajEu3NAwa+H0YM1762+07z5/PhF+vejwyK07imrgV6nw== X-Received: by 2002:ac8:2272:: with SMTP id p47mr17537997qtp.202.1556306860066; Fri, 26 Apr 2019 12:27:40 -0700 (PDT) Received: from willemb1.nyc.corp.google.com ([2620:0:1003:315:3fa1:a34c:1128:1d39]) by smtp.gmail.com with ESMTPSA id n66sm11781497qkc.36.2019.04.26.12.27.38 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 26 Apr 2019 12:27:39 -0700 (PDT) From: Willem de Bruijn To: netdev@vger.kernel.org Cc: davem@davemloft.net, David.Laight@aculab.com, idosch@idosch.org, Willem de Bruijn Subject: [PATCH net] packet: validate msg_namelen in send directly Date: Fri, 26 Apr 2019 15:27:35 -0400 Message-Id: <20190426192735.145633-1-willemdebruijn.kernel@gmail.com> X-Mailer: git-send-email 2.21.0.593.g511ec345e18-goog MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Willem de Bruijn Packet sockets in datagram mode take a destination address. Verify its length before passing to dev_hard_header. Prior to 2.6.14-rc3, the send code ignored sll_halen. This is established behavior. Directly compare msg_namelen to dev->addr_len. Fixes: 6b8d95f1795c4 ("packet: validate address length if non-zero") Suggested-by: David Laight Signed-off-by: Willem de Bruijn --- net/packet/af_packet.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index 9419c5cf4de5e..13301e36b4a28 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -2624,10 +2624,13 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) sll_addr))) goto out; proto = saddr->sll_protocol; - addr = saddr->sll_halen ? saddr->sll_addr : NULL; dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex); - if (addr && dev && saddr->sll_halen < dev->addr_len) - goto out_put; + if (po->sk.sk_socket->type == SOCK_DGRAM) { + addr = saddr->sll_addr; + if (dev && msg->msg_namelen < dev->addr_len + + offsetof(struct sockaddr_ll, sll_addr)) + goto out_put; + } } err = -ENXIO; @@ -2824,10 +2827,13 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) if (msg->msg_namelen < (saddr->sll_halen + offsetof(struct sockaddr_ll, sll_addr))) goto out; proto = saddr->sll_protocol; - addr = saddr->sll_halen ? saddr->sll_addr : NULL; dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex); - if (addr && dev && saddr->sll_halen < dev->addr_len) - goto out_unlock; + if (sock->type == SOCK_DGRAM) { + addr = saddr->sll_addr; + if (dev && msg->msg_namelen < dev->addr_len + + offsetof(struct sockaddr_ll, sll_addr)) + goto out_unlock; + } } err = -ENXIO;