Kernel/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2025-01-07 21:53:44 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6a6c028da0
linux-stable/net
History
Daniel Borkmann 6a6c028da0 net: llc: fix use after free in llc_ui_recvmsg 
[ Upstream commit 4d231b76ee ]

While commit 30a584d944 fixes datagram interface in LLC, a use
after free bug has been introduced for SOCK_STREAM sockets that do
not make use of MSG_PEEK.

The flow is as follow ...

  if (!(flags & MSG_PEEK)) {
    ...
    sk_eat_skb(sk, skb, false);
    ...
  }
  ...
  if (used + offset < skb->len)
    continue;

... where sk_eat_skb() calls __kfree_skb(). Therefore, cache
original length and work on skb_len to check partial reads.

Fixes: 30a584d944 ("[LLX]: SOCK_DGRAM interface fixes")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Cc: Stephen Hemminger <stephen@networkplumber.org>
Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
2014-05-19 07:54:10 +02:00
..
9p net/9p: Fix the msize calculation. 2011-11-07 12:32:00 -08:00
802 net: remove COMPAT_NET_DEV_OPS 2009-05-25 01:53:53 -07:00
8021q vlan: fix a race in egress prio management 2014-05-19 07:53:47 +02:00
appletalk net: rework recvmsg handler msg_name and msg_namelen logic 2014-05-19 07:54:00 +02:00
atm net: rework recvmsg handler msg_name and msg_namelen logic 2014-05-19 07:54:00 +02:00
ax25 net: rework recvmsg handler msg_name and msg_namelen logic 2014-05-19 07:54:00 +02:00
bluetooth net: rework recvmsg handler msg_name and msg_namelen logic 2014-05-19 07:54:00 +02:00
bridge bridge: flush br's address entry in fdb when remove the bridge dev 2014-05-19 07:54:04 +02:00
can can: add missing socket check in can/raw release 2011-05-09 15:55:42 -07:00
core net: drop_monitor: fix the value of maxattr 2014-05-19 07:54:06 +02:00
dcb dcbnl: fix various netlink info leaks 2013-06-10 11:43:34 +02:00
dccp inet: add RCU protection to inet->opt 2013-06-10 11:43:31 +02:00
decnet DECnet: don't leak uninitialized stack byte 2010-12-09 13:27:03 -08:00
dsa netdev: convert pseudo-devices to netdev_tx_t 2009-09-01 01:13:07 -07:00
econet econet: fix CVE-2010-3848 2011-05-09 15:55:33 -07:00
ethernet net: remove COMPAT_NET_DEV_OPS 2009-05-25 01:53:53 -07:00
ieee802154 net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
ipv4 inet: fix possible seqlock deadlocks 2014-05-19 07:54:05 +02:00
ipv6 ipv6: fix possible seqlock deadlock in ip6_finish_output2 2014-05-19 07:54:05 +02:00
ipx net: rework recvmsg handler msg_name and msg_namelen logic 2014-05-19 07:54:00 +02:00
irda net: rework recvmsg handler msg_name and msg_namelen logic 2014-05-19 07:54:00 +02:00
iucv net: rework recvmsg handler msg_name and msg_namelen logic 2014-05-19 07:54:00 +02:00
key net: rework recvmsg handler msg_name and msg_namelen logic 2014-05-19 07:54:00 +02:00
lapb net: remove NET_RX_BAD and NET_RX_CN* defines 2009-07-05 19:15:35 -07:00
llc net: llc: fix use after free in llc_ui_recvmsg 2014-05-19 07:54:10 +02:00
mac80211 mac80211: timeout a single frame in the rx reorder buffer 2012-03-04 09:49:19 -08:00
netfilter ipvs: fix CHECKSUM_PARTIAL for TCP, UDP 2014-05-19 07:53:12 +02:00
netlabel Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2009-07-30 19:22:43 -07:00
netlink net: rework recvmsg handler msg_name and msg_namelen logic 2014-05-19 07:54:00 +02:00
netrom net: rework recvmsg handler msg_name and msg_namelen logic 2014-05-19 07:54:00 +02:00
packet net: rework recvmsg handler msg_name and msg_namelen logic 2014-05-19 07:54:00 +02:00
phonet inet: prevent leakage of uninitialized memory to user in recv syscalls 2014-05-19 07:53:59 +02:00
rds rds: prevent dereference of a NULL device 2014-05-19 07:54:09 +02:00
rfkill Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 2009-11-23 14:01:47 -08:00
rose net: rose: restore old recvmsg behavior 2014-05-19 07:54:09 +02:00
rxrpc net: rework recvmsg handler msg_name and msg_namelen logic 2014-05-19 07:54:00 +02:00
sched htb: fix sign extension bug 2014-05-19 07:53:51 +02:00
sctp sctp: fully initialize sctp_outq in sctp_outq_init 2014-05-19 07:53:49 +02:00
sunrpc kernel panic when mount NFSv4 2013-06-10 11:43:23 +02:00
tipc net: rework recvmsg handler msg_name and msg_namelen logic 2014-05-19 07:54:00 +02:00
unix net: unix: allow bind to fail on mutex lock 2014-05-19 07:54:07 +02:00
wanrouter wanmain: comparing array with NULL 2012-10-07 23:38:10 +02:00
wimax wimax: fix warning caused by not checking retval of rfkill_set_hw_state() 2009-06-11 11:12:48 -07:00
wireless nl80211: fix MAC address validation 2011-12-09 09:21:40 -08:00
x25 net: rework recvmsg handler msg_name and msg_namelen logic 2014-05-19 07:54:00 +02:00
xfrm xfrm_user: return error pointer instead of NULL #2 2013-06-10 11:42:53 +02:00
compat.c net: clamp ->msg_namelen instead of returning an error 2014-05-19 07:54:02 +02:00
Kconfig net/compat/wext: send different messages to compat tasks 2009-07-15 08:53:39 -07:00
Makefile net: remove redundant sched/ in net/Makefile 2009-07-12 20:11:14 -07:00
nonet.c
socket.c net: clamp ->msg_namelen instead of returning an error 2014-05-19 07:54:02 +02:00
sysctl_net.c net: sysctl_net - use net_eq to compare nets 2009-03-16 16:23:30 +01:00
TUNABLE