[PATCH 4.19 11/42] tipc: dont assume linear buffer when reading ancillary data

From: Greg Kroah-Hartman
Date: Wed Nov 21 2018 - 14:08:11 EST


4.19-stable review patch. If anyone has any objections, please let me know.

------------------

From: Jon Maloy <donmalo99@xxxxxxxxx>

[ Upstream commit 1c1274a56999fbdf9cf84e332b28448bb2d55221 ]

The code for reading ancillary data from a received buffer is assuming
the buffer is linear. To make this assumption true we have to linearize
the buffer before message data is read.

Signed-off-by: Jon Maloy <jon.maloy@xxxxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/tipc/socket.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)

--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -1548,16 +1548,17 @@ static void tipc_sk_set_orig_addr(struct
/**
* tipc_sk_anc_data_recv - optionally capture ancillary data for received message
* @m: descriptor for message info
- * @msg: received message header
+ * @skb: received message buffer
* @tsk: TIPC port associated with message
*
* Note: Ancillary data is not captured if not requested by receiver.
*
* Returns 0 if successful, otherwise errno
*/
-static int tipc_sk_anc_data_recv(struct msghdr *m, struct tipc_msg *msg,
+static int tipc_sk_anc_data_recv(struct msghdr *m, struct sk_buff *skb,
struct tipc_sock *tsk)
{
+ struct tipc_msg *msg;
u32 anc_data[3];
u32 err;
u32 dest_type;
@@ -1566,6 +1567,7 @@ static int tipc_sk_anc_data_recv(struct

if (likely(m->msg_controllen == 0))
return 0;
+ msg = buf_msg(skb);

/* Optionally capture errored message object(s) */
err = msg ? msg_errcode(msg) : 0;
@@ -1576,6 +1578,9 @@ static int tipc_sk_anc_data_recv(struct
if (res)
return res;
if (anc_data[1]) {
+ if (skb_linearize(skb))
+ return -ENOMEM;
+ msg = buf_msg(skb);
res = put_cmsg(m, SOL_TIPC, TIPC_RETDATA, anc_data[1],
msg_data(msg));
if (res)
@@ -1737,9 +1742,10 @@ static int tipc_recvmsg(struct socket *s

/* Collect msg meta data, including error code and rejected data */
tipc_sk_set_orig_addr(m, skb);
- rc = tipc_sk_anc_data_recv(m, hdr, tsk);
+ rc = tipc_sk_anc_data_recv(m, skb, tsk);
if (unlikely(rc))
goto exit;
+ hdr = buf_msg(skb);

/* Capture data if non-error msg, otherwise just set return value */
if (likely(!err)) {
@@ -1849,9 +1855,10 @@ static int tipc_recvstream(struct socket
/* Collect msg meta data, incl. error code and rejected data */
if (!copied) {
tipc_sk_set_orig_addr(m, skb);
- rc = tipc_sk_anc_data_recv(m, hdr, tsk);
+ rc = tipc_sk_anc_data_recv(m, skb, tsk);
if (rc)
break;
+ hdr = buf_msg(skb);
}

/* Copy data if msg ok, otherwise return error/partial data */