[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20241115-sockptr-copy-fixes-v1-3-d183c87fcbd5@rbox.co>
Date: Fri, 15 Nov 2024 00:27:26 +0100
From: Michal Luczaj <mhal@...x.co>
To: Marcel Holtmann <marcel@...tmann.org>,
Johan Hedberg <johan.hedberg@...il.com>,
Luiz Augusto von Dentz <luiz.dentz@...il.com>,
"David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>,
Paolo Abeni <pabeni@...hat.com>, Simon Horman <horms@...nel.org>,
David Howells <dhowells@...hat.com>, Marc Dionne <marc.dionne@...istor.com>
Cc: Luiz Augusto von Dentz <luiz.von.dentz@...el.com>,
linux-bluetooth@...r.kernel.org, netdev@...r.kernel.org,
linux-afs@...ts.infradead.org, Jakub Kicinski <kuba@...nel.org>,
Michal Luczaj <mhal@...x.co>
Subject: [PATCH net 3/4] rxrpc: Improve setsockopt() handling of malformed
user input
copy_from_sockptr() doesn't return negative value on error. Instead it's
the number of bytes that could not be copied. Turn that into EFAULT.
Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
Signed-off-by: Michal Luczaj <mhal@...x.co>
---
net/rxrpc/af_rxrpc.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/rxrpc/af_rxrpc.c b/net/rxrpc/af_rxrpc.c
index f4844683e12039d636253cb06f622468593487eb..dcf64dc148cceb547ffdb1cea8ff53a0633f5c06 100644
--- a/net/rxrpc/af_rxrpc.c
+++ b/net/rxrpc/af_rxrpc.c
@@ -702,14 +702,14 @@ static int rxrpc_setsockopt(struct socket *sock, int level, int optname,
case RXRPC_MIN_SECURITY_LEVEL:
ret = -EINVAL;
- if (optlen != sizeof(unsigned int))
+ if (optlen != sizeof(min_sec_level))
goto error;
ret = -EISCONN;
if (rx->sk.sk_state != RXRPC_UNBOUND)
goto error;
- ret = copy_from_sockptr(&min_sec_level, optval,
- sizeof(unsigned int));
- if (ret < 0)
+ ret = -EFAULT;
+ if (copy_from_sockptr(&min_sec_level, optval,
+ sizeof(min_sec_level)))
goto error;
ret = -EINVAL;
if (min_sec_level > RXRPC_SECURITY_MAX)
--
2.46.2
Powered by blists - more mailing lists