Message ID | Pine.LNX.4.64.0901021040050.6207@wrl-59.cs.helsinki.fi |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
On Fri, Jan 02, 2009 at 08:53:18AM +0000, Ilpo Järvinen wrote: > > Can you try the patch below. You beat me to it :) > I wonder btw what's the correct policy wrt. those optval == NULL checks > that's visible in the patch' context (IPV6_PKTINFO is the only one which > is doing that while many there fetch to sizeof(struct something)). copy_from_user will catch bogus pointers so no extra checks are necessary. Cheers,
hi, * Ilpo Järvinen (ilpo.jarvinen@helsinki.fi) wrote: > On Thu, 1 Jan 2009, Eric Sesterhenn wrote: > > > Hi, > > > > running "icmpv6fuzz -r 2187" gives me the following oops with current -git > > Can you try the patch below. > > I wonder btw what's the correct policy wrt. those optval == NULL checks > that's visible in the patch' context (IPV6_PKTINFO is the only one which > is doing that while many there fetch to sizeof(struct something)). patch works for me, thanks for the fast reply. Greetings, Eric > [PATCH] ipv6: IPV6_PKTINFO relied userspace providing correct length > > Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> > Reported-by: Eric Sesterhenn <snakebyte@gmx.de> > --- > net/ipv6/ipv6_sockglue.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c > index 0069b7e..d31df0f 100644 > --- a/net/ipv6/ipv6_sockglue.c > +++ b/net/ipv6/ipv6_sockglue.c > @@ -403,7 +403,7 @@ sticky_done: > else if (optlen < sizeof(struct in6_pktinfo) || optval == NULL) > goto e_inval; > > - if (copy_from_user(&pkt, optval, optlen)) { > + if (copy_from_user(&pkt, optval, sizeof(struct in6_pktinfo))) { > retv = -EFAULT; > break; > } -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
From: Herbert Xu <herbert@gondor.apana.org.au> Date: Fri, 2 Jan 2009 20:05:15 +1100 > On Fri, Jan 02, 2009 at 08:53:18AM +0000, Ilpo Järvinen wrote: > > > > Can you try the patch below. > > You beat me to it :) I applied Ilpo's version, because he won :-) Thanks everyone. > > I wonder btw what's the correct policy wrt. those optval == NULL checks > > that's visible in the patch' context (IPV6_PKTINFO is the only one which > > is doing that while many there fetch to sizeof(struct something)). > > copy_from_user will catch bogus pointers so no extra checks are > necessary. Right. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c index 0069b7e..d31df0f 100644 --- a/net/ipv6/ipv6_sockglue.c +++ b/net/ipv6/ipv6_sockglue.c @@ -403,7 +403,7 @@ sticky_done: else if (optlen < sizeof(struct in6_pktinfo) || optval == NULL) goto e_inval; - if (copy_from_user(&pkt, optval, optlen)) { + if (copy_from_user(&pkt, optval, sizeof(struct in6_pktinfo))) { retv = -EFAULT; break; }