Commit 85fbaa75 authored by Hannes Frederic Sowa's avatar Hannes Frederic Sowa Committed by David S. Miller
Browse files

inet: fix addr_len/msg->msg_namelen assignment in recv_error and rxpmtu functions 



Commit bceaa902 ("inet: prevent leakage
of uninitialized memory to user in recv syscalls") conditionally updated
addr_len if the msg_name is written to. The recv_error and rxpmtu
functions relied on the recvmsg functions to set up addr_len before.

As this does not happen any more we have to pass addr_len to those
functions as well and set it to the size of the corresponding sockaddr
length.

This broke traceroute and such.

Fixes: bceaa902 ("inet: prevent leakage of uninitialized memory to user in recv syscalls")
Reported-by: default avatarBrad Spengler <spender@grsecurity.net>
Reported-by: Tom Labanowski
Cc: mpb <mpb.mail@gmail.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent ca15a078

include/net/ip.h

+1 −1
Original line number Diff line number Diff line
@@ -473,7 +473,7 @@ int compat_ip_getsockopt(struct sock *sk, int level, int optname, 
int ip_ra_control(struct sock *sk, unsigned char on,

		  void (*destructor)(struct sock *));



int ip_recv_error(struct sock *sk, struct msghdr *msg, int len);

int ip_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len);

void ip_icmp_error(struct sock *sk, struct sk_buff *skb, int err, __be16 port,

		   u32 info, u8 *payload);

void ip_local_error(struct sock *sk, int err, __be32 daddr, __be16 dport,

include/net/ipv6.h

+4 −2
Original line number Diff line number Diff line
@@ -776,8 +776,10 @@ int compat_ipv6_getsockopt(struct sock *sk, int level, int optname, 


int ip6_datagram_connect(struct sock *sk, struct sockaddr *addr, int addr_len);



int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len);

int ipv6_recv_rxpmtu(struct sock *sk, struct msghdr *msg, int len);

int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len,

		    int *addr_len);

int ipv6_recv_rxpmtu(struct sock *sk, struct msghdr *msg, int len,

		     int *addr_len);

void ipv6_icmp_error(struct sock *sk, struct sk_buff *skb, int err, __be16 port,

		     u32 info, u8 *payload);

void ipv6_local_error(struct sock *sk, int err, struct flowi6 *fl6, u32 info);

include/net/ping.h

+2 −1
Original line number Diff line number Diff line
@@ -31,7 +31,8 @@ 


/* Compatibility glue so we can support IPv6 when it's compiled as a module */

struct pingv6_ops {

	int (*ipv6_recv_error)(struct sock *sk, struct msghdr *msg, int len);

	int (*ipv6_recv_error)(struct sock *sk, struct msghdr *msg, int len,

			       int *addr_len);

	int (*ip6_datagram_recv_ctl)(struct sock *sk, struct msghdr *msg,

				     struct sk_buff *skb);

	int (*icmpv6_err_convert)(u8 type, u8 code, int *err);

net/ipv4/ip_sockglue.c

+2 −1
Original line number Diff line number Diff line
@@ -386,7 +386,7 @@ void ip_local_error(struct sock *sk, int err, __be32 daddr, __be16 port, u32 inf 
/*

 *	Handle MSG_ERRQUEUE

 */

int ip_recv_error(struct sock *sk, struct msghdr *msg, int len)

int ip_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len)

{

	struct sock_exterr_skb *serr;

	struct sk_buff *skb, *skb2;
@@ -423,6 +423,7 @@ int ip_recv_error(struct sock *sk, struct msghdr *msg, int len) 
						   serr->addr_offset);

		sin->sin_port = serr->port;

		memset(&sin->sin_zero, 0, sizeof(sin->sin_zero));

		*addr_len = sizeof(*sin);

	}



	memcpy(&errhdr.ee, &serr->ee, sizeof(struct sock_extended_err));

net/ipv4/ping.c

+3 −2
Original line number Diff line number Diff line
@@ -841,10 +841,11 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, 


	if (flags & MSG_ERRQUEUE) {

		if (family == AF_INET) {

			return ip_recv_error(sk, msg, len);

			return ip_recv_error(sk, msg, len, addr_len);

#if IS_ENABLED(CONFIG_IPV6)

		} else if (family == AF_INET6) {

			return pingv6_ops.ipv6_recv_error(sk, msg, len);

			return pingv6_ops.ipv6_recv_error(sk, msg, len,

							  addr_len);

#endif

		}

	}

CRA Git | Maintained and supported by SUSTech CRA and CCSE