Message ID | 20221005014750.3685555-2-aahringo@redhat.com (mailing list archive) |
---|---|
State | Awaiting Upstream |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | [net,1/2] Revert "net/ieee802154: reject zero-sized raw_sendmsg()" | expand |
Hello. On 05.10.22 03:47, Alexander Aring wrote: > From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> > > syzbot is hitting skb_assert_len() warning at __dev_queue_xmit() [1], > for PF_IEEE802154 socket's zero-sized raw_sendmsg() request is hitting > __dev_queue_xmit() with skb->len == 0. > > Since PF_IEEE802154 socket's zero-sized raw_sendmsg() request was > able to return 0, don't call __dev_queue_xmit() if packet length is 0. > > ---------- > #include <sys/socket.h> > #include <netinet/in.h> > > int main(int argc, char *argv[]) > { > struct sockaddr_in addr = { .sin_family = AF_INET, .sin_addr.s_addr = htonl(INADDR_LOOPBACK) }; > struct iovec iov = { }; > struct msghdr hdr = { .msg_name = &addr, .msg_namelen = sizeof(addr), .msg_iov = &iov, .msg_iovlen = 1 }; > sendmsg(socket(PF_IEEE802154, SOCK_RAW, 0), &hdr, 0); > return 0; > } > ---------- > > Note that this might be a sign that commit fd1894224407c484 ("bpf: Don't > redirect packets with invalid pkt_len") should be reverted, for > skb->len == 0 was acceptable for at least PF_IEEE802154 socket. > > Link: https://syzkaller.appspot.com/bug?extid=5ea725c25d06fb9114c4 [1] > Reported-by: syzbot <syzbot+5ea725c25d06fb9114c4@syzkaller.appspotmail.com> > Fixes: fd1894224407c484 ("bpf: Don't redirect packets with invalid pkt_len") > Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> > Signed-off-by: Alexander Aring <aahringo@redhat.com> > --- > net/ieee802154/socket.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c > index 7889e1ef7fad..6e55fae4c686 100644 > --- a/net/ieee802154/socket.c > +++ b/net/ieee802154/socket.c > @@ -272,6 +272,10 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t size) > err = -EMSGSIZE; > goto out_dev; > } > + if (!size) { > + err = 0; > + goto out_dev; > + } > > hlen = LL_RESERVED_SPACE(dev); > tlen = dev->needed_tailroom; This patch has been applied to the wpan tree and will be part of the next pull request to net. Thanks! regards Stefan Schmidt
diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c index 7889e1ef7fad..6e55fae4c686 100644 --- a/net/ieee802154/socket.c +++ b/net/ieee802154/socket.c @@ -272,6 +272,10 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t size) err = -EMSGSIZE; goto out_dev; } + if (!size) { + err = 0; + goto out_dev; + } hlen = LL_RESERVED_SPACE(dev); tlen = dev->needed_tailroom;