linux/net
Meng Xu c2a64bb9fc net: compat: assert the size of cmsg copied in is as expected
The actual length of cmsg fetched in during the second loop
(i.e., kcmsg - kcmsg_base) could be different from what we
get from the first loop (i.e., kcmlen).

The main reason is that the two get_user() calls in the two
loops (i.e., get_user(ucmlen, &ucmsg->cmsg_len) and
__get_user(ucmlen, &ucmsg->cmsg_len)) could cause ucmlen
to have different values even they fetch from the same userspace
address, as user can race to change the memory content in
&ucmsg->cmsg_len across fetches.

Although in the second loop, the sanity check
if ((char *)kcmsg_base + kcmlen - (char *)kcmsg < CMSG_ALIGN(tmp))
is inplace, it only ensures that the cmsg fetched in during the
second loop does not exceed the length of kcmlen, but not
necessarily equal to kcmlen. But indicated by the assignment
kmsg->msg_controllen = kcmlen, we should enforce that.

This patch adds this additional sanity check and ensures that
what is recorded in kmsg->msg_controllen is the actual cmsg length.

Signed-off-by: Meng Xu <mengxu.gatech@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-09-20 15:36:18 -07:00
..
6lowpan
9p net/9p: switch p9_fd_read to kernel_write 2017-09-04 19:05:16 -04:00
802
8021q
appletalk
atm net: atm: make atmdev_ops const 2017-08-09 22:43:50 -07:00
ax25
batman-adv Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-08-09 16:28:45 -07:00
bluetooth Bluetooth: Properly check L2CAP config option output buffer length 2017-09-09 17:56:05 -07:00
bpf
bridge bridge: switchdev: Use an helper to clear forward mark 2017-09-05 11:51:47 -07:00
caif
can rtnetlink: make rtnl_register accept a flags parameter 2017-08-09 16:57:38 -07:00
ceph ceph: more accurate statfs 2017-09-06 19:56:49 +02:00
core bpf: fix ri->map_owner pointer on bpf_prog_realloc 2017-09-19 16:38:53 -07:00
dcb rtnetlink: make rtnl_register accept a flags parameter 2017-08-09 16:57:38 -07:00
dccp net: dccp: Add handling of IPV6_PKTOPTIONS to dccp_v6_do_rcv() 2017-08-31 11:43:47 -07:00
decnet Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 2017-09-03 17:08:42 -07:00
dns_resolver
dsa net: dsa: tag_brcm: Set output queue from skb queue mapping 2017-09-05 11:53:34 -07:00
ethernet
hsr net/hsr: Check skb_put_padto() return value 2017-08-22 13:40:23 -07:00
ieee802154 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-09-05 20:03:35 -07:00
ife
ipv4 tcp: fastopen: fix on syn-data transmit failure 2017-09-19 16:16:51 -07:00
ipv6 ipv6: fix net.ipv6.conf.all interface DAD handlers 2017-09-19 16:44:02 -07:00
ipx
iucv
kcm Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-09-01 17:42:05 -07:00
key Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-08-15 20:23:23 -07:00
l2tp l2tp: pass tunnel pointer to ->session_create() 2017-09-03 11:04:21 -07:00
l3mdev
lapb
llc
mac80211 mac80211: fix deadlock in driver-managed RX BA session start 2017-09-06 15:22:02 +02:00
mac802154
mpls rtnetlink: make rtnl_register accept a flags parameter 2017-08-09 16:57:38 -07:00
ncsi net/ncsi: fix ncsi_vlan_rx_{add,kill}_vid references 2017-09-05 09:11:45 -07:00
netfilter netfilter: xt_hashlimit: fix build error caused by 64bit division 2017-09-08 18:55:53 +02:00
netlabel
netlink netlink: access nlk groups safely in netlink bind and getname 2017-09-06 21:22:54 -07:00
netrom
nfc
nsh nsh: add GSO support 2017-08-29 15:16:52 -07:00
openvswitch openvswitch: Fix an error handling path in 'ovs_nla_init_match_and_action()' 2017-09-12 20:37:31 -07:00
packet packet: hold bind lock when rebinding to fanout hook 2017-09-20 13:57:19 -07:00
phonet rtnetlink: make rtnl_register accept a flags parameter 2017-08-09 16:57:38 -07:00
psample
qrtr rtnetlink: make rtnl_register accept a flags parameter 2017-08-09 16:57:38 -07:00
rds rds: Fix incorrect statistics counting 2017-09-07 20:07:13 -07:00
rfkill
rose
rxrpc rxrpc: Make service connection lookup always check for retry 2017-09-05 14:39:17 -07:00
sched net/sched: cls_matchall: fix crash when used with classful qdisc 2017-09-18 16:37:36 -07:00
sctp sctp: do not mark sk dumped when inet_sctp_diag_fill returns err 2017-09-15 14:51:15 -07:00
smc net/smc: synchronize buffer usage with device 2017-07-29 11:22:58 -07:00
strparser strparser: initialize all callbacks 2017-08-24 21:57:50 -07:00
sunrpc NFS client updates for Linux 4.14 2017-09-11 22:01:44 -07:00
switchdev net: switchdev: Remove bridge bypass support from switchdev 2017-08-07 14:48:48 -07:00
tipc tipc: remove unnecessary call to dev_net() 2017-09-06 21:25:52 -07:00
tls tls: make tls_sw_free_resources static 2017-09-14 09:55:21 -07:00
unix Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-08-21 17:06:42 -07:00
vmw_vsock hv_sock: implements Hyper-V transport for Virtual Sockets (AF_VSOCK) 2017-08-28 15:38:18 -07:00
wimax
wireless nl80211: fix null-ptr dereference on invalid mesh configuration 2017-09-18 22:51:07 +02:00
x25 X25: constify null_x25_address 2017-08-03 09:13:51 -07:00
xfrm Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-09-01 17:42:05 -07:00
compat.c net: compat: assert the size of cmsg copied in is as expected 2017-09-20 15:36:18 -07:00
Kconfig net: Remove CONFIG_NETFILTER_DEBUG and _ASSERT() macros. 2017-09-04 13:25:20 +02:00
Makefile nsh: add GSO support 2017-08-29 15:16:52 -07:00
socket.c net: fixes for skb_send_sock 2017-08-16 11:27:52 -07:00
sysctl_net.c