linux-stable/net/llc
Hannes Frederic Sowa 4485f23cb4 net: rework recvmsg handler msg_name and msg_namelen logic
CVE-2013-7266

BugLink: http://bugs.launchpad.net/bugs/1267081

This patch now always passes msg->msg_namelen as 0. recvmsg handlers must
set msg_namelen to the proper size <= sizeof(struct sockaddr_storage)
to return msg_name to the user.

This prevents numerous uninitialized memory leaks we had in the
recvmsg handlers and makes it harder for new code to accidentally leak
uninitialized memory.

Optimize for the case recvfrom is called with NULL as address. We don't
need to copy the address at all, so set it to NULL before invoking the
recvmsg handler. We can do so, because all the recvmsg handlers must
cope with the case a plain read() is called on them. read() also sets
msg_name to NULL.

Also document these changes in include/linux/net.h as suggested by David
Miller.

Changes since RFC:

Set msg->msg_name = NULL if user specified a NULL in msg_name but had a
non-null msg_namelen in verify_iovec/verify_compat_iovec. This doesn't
affect sendto as it would bail out earlier while trying to copy-in the
address. It also more naturally reflects the logic by the callers of
verify_iovec.

With this change in place I could remove "
if (!uaddr || msg_sys->msg_namelen == 0)
	msg->msg_name = NULL
".

This change does not alter the user visible error logic as we ignore
msg_namelen as long as msg_name is NULL.

Also remove two unnecessary curly brackets in ___sys_recvmsg and change
comments to netdev style.

Cc: David Miller <davem@davemloft.net>
Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
(back ported from commit f3d3342602)
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
Acked-by: Andy Whitcroft <andy.whitcroft@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
2014-05-19 07:54:00 +02:00
..
af_llc.c net: rework recvmsg handler msg_name and msg_namelen logic 2014-05-19 07:54:00 +02:00
Kconfig Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
llc_c_ac.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2008-04-02 22:35:23 -07:00
llc_c_ev.c net: replace remaining __FUNCTION__ occurrences 2008-03-05 20:47:47 -08:00
llc_c_st.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
llc_conn.c llc: Kill outdated and incorrect comment. 2009-05-28 23:31:56 -07:00
llc_core.c net: convert usage of packet_type to read_mostly 2009-03-10 05:22:43 -07:00
llc_if.c Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
llc_input.c netns: Use net_eq() to compare net-namespaces for optimization. 2008-07-19 22:34:43 -07:00
llc_output.c [LLC]: Use skb_reset_mac_header in llc_mac_hdr_init 2007-04-25 22:24:35 -07:00
llc_pdu.c [LLC]: skb allocation size for responses 2008-03-31 21:02:47 -07:00
llc_proc.c net: mark read-only arrays as const 2009-08-05 10:42:58 -07:00
llc_s_ac.c [LLC]: skb allocation size for responses 2008-03-31 21:02:47 -07:00
llc_s_ev.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
llc_s_st.c [NET] LLC: Fix whitespace errors. 2007-02-10 23:19:53 -08:00
llc_sap.c llc: Fix double accounting of received packets 2008-05-30 02:57:29 -07:00
llc_station.c [LLC]: skb allocation size for responses 2008-03-31 21:02:47 -07:00
Makefile [LLC]: Add sysctl support for the LLC timeouts 2005-09-22 04:30:44 -03:00
sysctl_net_llc.c net: '&' redux 2008-11-03 18:21:05 -08:00