tipc: safely copy UDP netlink data from user (ddb37125) · Commits · 戴 / test

net/tipc/udp_media.c

+13 −11

Original line number	Diff line number	Diff line
		@@ -276,7 +276,7 @@ static int parse_options(struct nlattr attrs[], struct udp_bearer ub,
		struct udp_media_addr *remote)
		{
		struct nlattr *opts[TIPC_NLA_UDP_MAX + 1];
		struct sockaddr_storage sa_local, sa_remote;
		struct sockaddr_storage sa_local, sa_remote;

		if (!attrs[TIPC_NLA_BEARER_UDP_OPTS])
		goto err;
		@@ -285,41 +285,43 @@ static int parse_options(struct nlattr attrs[], struct udp_bearer ub,
		tipc_nl_udp_policy))
		goto err;
		if (opts[TIPC_NLA_UDP_LOCAL] && opts[TIPC_NLA_UDP_REMOTE]) {
		sa_local = nla_data(opts[TIPC_NLA_UDP_LOCAL]);
		sa_remote = nla_data(opts[TIPC_NLA_UDP_REMOTE]);
		nla_memcpy(&sa_local, opts[TIPC_NLA_UDP_LOCAL],
		sizeof(sa_local));
		nla_memcpy(&sa_remote, opts[TIPC_NLA_UDP_REMOTE],
		sizeof(sa_remote));
		} else {
		err:
		pr_err("Invalid UDP bearer configuration");
		return -EINVAL;
		}
		if ((sa_local->ss_family & sa_remote->ss_family) == AF_INET) {
		if ((sa_local.ss_family & sa_remote.ss_family) == AF_INET) {
		struct sockaddr_in *ip4;

		ip4 = (struct sockaddr_in *)sa_local;
		ip4 = (struct sockaddr_in *)&sa_local;
		local->proto = htons(ETH_P_IP);
		local->udp_port = ip4->sin_port;
		local->ipv4.s_addr = ip4->sin_addr.s_addr;

		ip4 = (struct sockaddr_in *)sa_remote;
		ip4 = (struct sockaddr_in *)&sa_remote;
		remote->proto = htons(ETH_P_IP);
		remote->udp_port = ip4->sin_port;
		remote->ipv4.s_addr = ip4->sin_addr.s_addr;
		return 0;

		#if IS_ENABLED(CONFIG_IPV6)
		} else if ((sa_local->ss_family & sa_remote->ss_family) == AF_INET6) {
		} else if ((sa_local.ss_family & sa_remote.ss_family) == AF_INET6) {
		struct sockaddr_in6 *ip6;

		ip6 = (struct sockaddr_in6 *)sa_local;
		ip6 = (struct sockaddr_in6 *)&sa_local;
		local->proto = htons(ETH_P_IPV6);
		local->udp_port = ip6->sin6_port;
		local->ipv6 = ip6->sin6_addr;
		memcpy(&local->ipv6, &ip6->sin6_addr, sizeof(struct in6_addr));
		ub->ifindex = ip6->sin6_scope_id;

		ip6 = (struct sockaddr_in6 *)sa_remote;
		ip6 = (struct sockaddr_in6 *)&sa_remote;
		remote->proto = htons(ETH_P_IPV6);
		remote->udp_port = ip6->sin6_port;
		remote->ipv6 = ip6->sin6_addr;
		memcpy(&remote->ipv6, &ip6->sin6_addr, sizeof(struct in6_addr));
		return 0;
		#endif
		}

Admin message