Commit 8605330a authored by Soheil Hassas Yeganeh's avatar Soheil Hassas Yeganeh Committed by David S. Miller
Browse files

tcp: fix SCM_TIMESTAMPING_OPT_STATS for normal skbs 



__sock_recv_timestamp can be called for both normal skbs (for
receive timestamps) and for skbs on the error queue (for transmit
timestamps).

Commit 1c885808
(tcp: SOF_TIMESTAMPING_OPT_STATS option for SO_TIMESTAMPING)
assumes any skb passed to __sock_recv_timestamp are from
the error queue, containing OPT_STATS in the content of the skb.
This results in accessing invalid memory or generating junk
data.

To fix this, set skb->pkt_type to PACKET_OUTGOING for packets
on the error queue. This is safe because on the receive path
on local sockets skb->pkt_type is never set to PACKET_OUTGOING.
With that, copy OPT_STATS from a packet, only if its pkt_type
is PACKET_OUTGOING.

Fixes: 1c885808 ("tcp: SOF_TIMESTAMPING_OPT_STATS option for SO_TIMESTAMPING")
Reported-by: default avatarJongHwan Kim <zzoru007@gmail.com>
Signed-off-by: default avatarSoheil Hassas Yeganeh <soheil@google.com>
Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 23bb09cf

net/core/skbuff.c

+10 −0
Original line number Diff line number Diff line
@@ -3694,6 +3694,15 @@ static void sock_rmem_free(struct sk_buff *skb) 
	atomic_sub(skb->truesize, &sk->sk_rmem_alloc);

}



static void skb_set_err_queue(struct sk_buff *skb)

{

	/* pkt_type of skbs received on local sockets is never PACKET_OUTGOING.

	 * So, it is safe to (mis)use it to mark skbs on the error queue.

	 */

	skb->pkt_type = PACKET_OUTGOING;

	BUILD_BUG_ON(PACKET_OUTGOING == 0);

}



/*

 * Note: We dont mem charge error packets (no sk_forward_alloc changes)

 */
@@ -3707,6 +3716,7 @@ int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb) 
	skb->sk = sk;

	skb->destructor = sock_rmem_free;

	atomic_add(skb->truesize, &sk->sk_rmem_alloc);

	skb_set_err_queue(skb);



	/* before exiting rcu section, make sure dst is refcounted */

	skb_dst_force(skb);

net/socket.c

+12 −1
Original line number Diff line number Diff line
@@ -652,6 +652,16 @@ int kernel_sendmsg(struct socket *sock, struct msghdr *msg, 
}

EXPORT_SYMBOL(kernel_sendmsg);



static bool skb_is_err_queue(const struct sk_buff *skb)

{

	/* pkt_type of skbs enqueued on the error queue are set to

	 * PACKET_OUTGOING in skb_set_err_queue(). This is only safe to do

	 * in recvmsg, since skbs received on a local socket will never

	 * have a pkt_type of PACKET_OUTGOING.

	 */

	return skb->pkt_type == PACKET_OUTGOING;

}



/*

 * called from sock_recv_timestamp() if sock_flag(sk, SOCK_RCVTSTAMP)

 */
@@ -695,7 +705,8 @@ void __sock_recv_timestamp(struct msghdr *msg, struct sock *sk, 
		put_cmsg(msg, SOL_SOCKET,

			 SCM_TIMESTAMPING, sizeof(tss), &tss);



		if (skb->len && (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_STATS))

		if (skb_is_err_queue(skb) && skb->len &&

		    (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_STATS))

			put_cmsg(msg, SOL_SOCKET, SCM_TIMESTAMPING_OPT_STATS,

				 skb->len, skb->data);

	}

CRA Git | Maintained and supported by SUSTech CRA and CCSE