| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAOxq_8Nvox3ABUoZFzmvMyb4XwAHx1YdTPfx9rpKAofM7crq=w@mail.gmail.com> Date: Fri, 5 Sep 2014 14:44:32 -0700 From: Ani Sinha <ani@...sta.com> To: Hannes Frederic Sowa <hannes@...essinduktion.org> Cc: David Miller <davem@...emloft.net>, "matthew.leach" <matthew.leach@....com>, netdev@...r.kernel.org, fenner <fenner@...sta.com>, fruggeri <fruggeri@...sta.com>, travisb <travisb@...sta.com> Subject: Re: [PATCH] net: socket: do not validate msg_namelen unless msg_name is non-NULL On Fri, Sep 5, 2014 at 2:26 PM, Hannes Frederic Sowa > If you set msg_namelen = 0 if msg_name == NULL prior to the < 0 check it > should not trigger the return -EINVAL and also we don't run into the > unsafe implicit conversion case when comparing msg_namelen with the > result of the sizeof(). Do you see any problems with that? yes, sorry I misunderstood you. Here's the updated patch : >From ea39174d4475d7def61410210613ab24a4ce0e81 Mon Sep 17 00:00:00 2001 From: Ani Sinha <ani@...stanetworks.com> Date: Fri, 5 Sep 2014 14:33:20 -0700 Subject: [PATCH] net:socket: set msg_namelen to 0 if msg_name is passed as NULL in msghdr struct from userland. Linux manpage for recvmsg and sendmsg calls does not explicitly mention setting msg_namelen to 0 when msg_name passed set as NULL. When developers don't set msg_namelen member in msghdr, it might contain garbage value which will fail the validation check and sendmsg and recvmsg calls from kernel will return EINVAL. This will break old binaries and any code for which there is no access to source code. To fix this, we set msg_namelen to 0 when msg_name is passed as NULL from userland. Signed-off-by: Ani Sinha <ani@...stanetworks.com> --- net/socket.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/net/socket.c b/net/socket.c index 95ee7d8..457be6a 100644 --- a/net/socket.c +++ b/net/socket.c @@ -1997,6 +1997,9 @@ static int copy_msghdr_from_user(struct msghdr *kmsg, if (copy_from_user(kmsg, umsg, sizeof(struct msghdr))) return -EFAULT; + if (kmsg->msg_name == NULL) + kmsg->msg_namelen = 0; + if (kmsg->msg_namelen < 0) return -EINVAL; -- 1.7.4.4 -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists