| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1410212999-11013-1-git-send-email-ani@arista.com> Date: Mon, 8 Sep 2014 14:49:59 -0700 From: Ani Sinha <ani@...sta.com> To: ani@...sta.com, fruggeri@...sta.com, davem@...emloft.net, netdev@...r.kernel.org, fenner@...sta.com, travisb@...sta.com, hannes@...essinduktion.org, matthew.leach@....com, eric.dumazet@...il.com Subject: [PATCH 1/1] net:socket: set msg_namelen to 0 if msg_name is passed as NULL in msghdr struct from userland. Linux manpage for recvmsg and sendmsg calls does not explicitly mention setting msg_namelen to 0 when msg_name passed set as NULL. When developers don't set msg_namelen member in msghdr, it might contain garbage value which will fail the validation check and sendmsg and recvmsg calls from kernel will return EINVAL. This will break old binaries and any code for which there is no access to source code. To fix this, we set msg_namelen to 0 when msg_name is passed as NULL from userland. Signed-off-by: Ani Sinha <ani@...sta.com> --- net/socket.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/net/socket.c b/net/socket.c index 95ee7d8..457be6a 100644 --- a/net/socket.c +++ b/net/socket.c @@ -1997,6 +1997,9 @@ static int copy_msghdr_from_user(struct msghdr *kmsg, if (copy_from_user(kmsg, umsg, sizeof(struct msghdr))) return -EFAULT; + if (kmsg->msg_name == NULL) + kmsg->msg_namelen = 0; + if (kmsg->msg_namelen < 0) return -EINVAL; -- 1.7.4.4 -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists