From patchwork Sun Sep 24 15:14:55 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Meng Xu <mengxu.gatech@gmail.com>
X-Patchwork-Id: 817926
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3y0W4G5SBGz9sRV
	for <patchwork-incoming@ozlabs.org>;
	Mon, 25 Sep 2017 01:15:26 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752665AbdIXPPA (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Sun, 24 Sep 2017 11:15:00 -0400
Received: from mx1.gtisc.gatech.edu ([143.215.130.81]:53985 "EHLO
	mx1.gtisc.gatech.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752597AbdIXPO6 (ORCPT
	<rfc822;netdev@vger.kernel.org>); Sun, 24 Sep 2017 11:14:58 -0400
Received: from bombshell.gtisc.gatech.edu (unknown [172.30.240.76])
	by mx1.gtisc.gatech.edu (Postfix) with SMTP id C9224C2145;
	Sun, 24 Sep 2017 11:14:55 -0400 (EDT)
Received: (nullmailer pid 23047 invoked by uid 1026);
	Sun, 24 Sep 2017 15:14:57 -0000
From: Meng Xu <mengxu.gatech@gmail.com>
To: ilyal@mellanox.com, aviadye@mellanox.com, davejwatson@fb.com,
	davem@davemloft.net, netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: meng.xu@gatech.edu, sanidhya@gatech.edu, taesoo@gatech.edu,
	Meng Xu <mengxu.gatech@gmail.com>
Subject: [PATCH] net/tls: move version check after second userspace fetch
Date: Sun, 24 Sep 2017 11:14:55 -0400
Message-Id: <1506266095-23003-1-git-send-email-mengxu.gatech@gmail.com>
X-Mailer: git-send-email 2.7.4
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Even the userspace buffer optval passed the version check
(i.e., tmp_crypto_info.version == TLS_1_2_VERSION) after the first fetch,
it can still be changed before the second copy_from_user() and hence,
a version different than TLS_1_2_VERSION may be copied into crypto_info.
This patch moves the version check after the second userspace fetch.

Signed-off-by: Meng Xu <mengxu.gatech@gmail.com>
---
 net/tls/tls_main.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
index 60aff60..d4a7bc6 100644
--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -354,12 +354,6 @@ static int do_tls_setsockopt_tx(struct sock *sk, char __user *optval,
 		goto out;
 	}
 
-	/* check version */
-	if (tmp_crypto_info.version != TLS_1_2_VERSION) {
-		rc = -ENOTSUPP;
-		goto out;
-	}
-
 	/* get user crypto info */
 	crypto_info = &ctx->crypto_send;
 
@@ -382,6 +376,12 @@ static int do_tls_setsockopt_tx(struct sock *sk, char __user *optval,
 			rc = -EFAULT;
 			goto err_crypto_info;
 		}
+
+		/* check version */
+		if (crypto_info->version != TLS_1_2_VERSION) {
+			rc = -ENOTSUPP;
+			goto err_crypto_info;
+		}
 		break;
 	}
 	default: