Re: net/udp: slab-out-of-bounds Read in udp_recvmsg

From: David Miller
Date: Wed Mar 15 2017 - 18:08:45 EST

Next message: Sakari Ailus: "Re: [PATCH v10 2/2] media: i2c: Add support for OV5647 sensor."
Previous message: Jaegeuk Kim: "Re: [lkp-robot] [f2fs] 4ac912427c: -33.7% aim7.jobs-per-min regression"
In reply to: Eric Dumazet: "Re: net/udp: slab-out-of-bounds Read in udp_recvmsg"
Next in thread: Eric Dumazet: "Re: net/udp: slab-out-of-bounds Read in udp_recvmsg"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Eric Dumazet <eric.dumazet@xxxxxxxxx>
Date: Wed, 15 Mar 2017 09:10:33 -0700

> @@ -692,12 +692,17 @@ void __sock_recv_timestamp(struct msghdr *msg, struct sock *sk,
> ktime_to_timespec_cond(shhwtstamps->hwtstamp, tss.ts + 2))
> empty = 0;
> if (!empty) {
> + unsigned int hlen = skb_headlen(skb);
> +
> put_cmsg(msg, SOL_SOCKET,
> SCM_TIMESTAMPING, sizeof(tss), &tss);
>
> - if (skb->len && (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_STATS))
> + if (hlen &&
> + (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_STATS) &&
> + sk->sk_protocol == IPPROTO_TCP &&
> + sk->sk_type == SOCK_STREAM)
> put_cmsg(msg, SOL_SOCKET, SCM_TIMESTAMPING_OPT_STATS,
> - skb->len, skb->data);
> + hlen, skb->data);

Hmmm, what is the true intention of SOF_TIMESTAMPING_OPT_STATS then? The
existing code seems to want to dump the entire SKB into the cmsg, and if
that's the case then the fix is to linearlize the skb before the put_cmsg()
or have a way to put a non-linear SKB into a cmsg.

Next message: Sakari Ailus: "Re: [PATCH v10 2/2] media: i2c: Add support for OV5647 sensor."
Previous message: Jaegeuk Kim: "Re: [lkp-robot] [f2fs] 4ac912427c: -33.7% aim7.jobs-per-min regression"
In reply to: Eric Dumazet: "Re: net/udp: slab-out-of-bounds Read in udp_recvmsg"
Next in thread: Eric Dumazet: "Re: net/udp: slab-out-of-bounds Read in udp_recvmsg"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]