Commit db31c55a authored Nov 27, 2013 by Dan Carpenter Committed by David S. Miller Nov 29, 2013

net: clamp ->msg_namelen instead of returning an error



If kmsg->msg_namelen > sizeof(struct sockaddr_storage) then in the
original code that would lead to memory corruption in the kernel if you
had audit configured.  If you didn't have audit configured it was
harmless.

There are some programs such as beta versions of Ruby which use too
large of a buffer and returning an error code breaks them.  We should
clamp the ->msg_namelen value instead.

Fixes: 1661bf36 ("net: heap overflow in __audit_sockaddr()")
Reported-by: Eric Wong <normalperson@yhbt.net>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Tested-by: Eric Wong <normalperson@yhbt.net>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent ec6f809f

net/compat.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -72,7 +72,7 @@ int get_compat_msghdr(struct msghdr kmsg, struct compat_msghdr __user umsg)
		__get_user(kmsg->msg_flags, &umsg->msg_flags))
		return -EFAULT;
		if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
		return -EINVAL;
		kmsg->msg_namelen = sizeof(struct sockaddr_storage);
		kmsg->msg_name = compat_ptr(tmp1);
		kmsg->msg_iov = compat_ptr(tmp2);
		kmsg->msg_control = compat_ptr(tmp3);

net/socket.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1973,7 +1973,7 @@ static int copy_msghdr_from_user(struct msghdr *kmsg,
		if (copy_from_user(kmsg, umsg, sizeof(struct msghdr)))
		return -EFAULT;
		if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
		return -EINVAL;
		kmsg->msg_namelen = sizeof(struct sockaddr_storage);
		return 0;
		}

Admin message