diff mbox series

[net,v2,2/4] llc: Improve setsockopt() handling of malformed user input

Message ID 20241115-sockptr-copy-fixes-v2-2-9b1254c18b7a@rbox.co (mailing list archive)
State Superseded
Headers show
Series net: Fix some callers of copy_from_sockptr() | expand

Checks

Context Check Description
tedd_an/pre-ci_am success Success
tedd_an/SubjectPrefix fail "Bluetooth: " prefix is not specified in the subject

Commit Message

Michal Luczaj Nov. 15, 2024, 1:21 p.m. UTC
copy_from_sockptr()'s non-zero result represents the number of bytes that
could not be copied. Turn that into EFAULT.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Michal Luczaj <mhal@rbox.co>
---
 net/llc/af_llc.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

Comments

David Wei Nov. 16, 2024, 12:59 a.m. UTC | #1
On 2024-11-15 05:21, Michal Luczaj wrote:
> copy_from_sockptr()'s non-zero result represents the number of bytes that
> could not be copied. Turn that into EFAULT.
> 
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Michal Luczaj <mhal@rbox.co>
> ---
>  net/llc/af_llc.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
> index 4eb52add7103b0f83d6fe7318abf1d1af533d254..711c8a7a423f1cf1b03e684a6e23c8eefbab830f 100644
> --- a/net/llc/af_llc.c
> +++ b/net/llc/af_llc.c
> @@ -1096,12 +1096,12 @@ static int llc_ui_setsockopt(struct socket *sock, int level, int optname,
>  	int rc = -EINVAL;
>  
>  	lock_sock(sk);
> -	if (unlikely(level != SOL_LLC || optlen != sizeof(int)))
> +	if (unlikely(level != SOL_LLC || optlen != sizeof(opt)))
>  		goto out;
> -	rc = copy_from_sockptr(&opt, optval, sizeof(opt));
> -	if (rc)
> +	if (copy_from_sockptr(&opt, optval, sizeof(opt))) {
> +		rc = -EFAULT;
>  		goto out;
> -	rc = -EINVAL;
> +	}
>  	switch (optname) {
>  	case LLC_OPT_RETRY:
>  		if (opt > LLC_OPT_MAX_RETRY)
> 

Can copy_from_sockptr() be deprecated here in favour of
copy_safe_from_sockptr()?
Michal Luczaj Nov. 16, 2024, 9:24 a.m. UTC | #2
On 11/16/24 01:59, David Wei wrote:
> On 2024-11-15 05:21, Michal Luczaj wrote:
>> copy_from_sockptr()'s non-zero result represents the number of bytes that
>> could not be copied. Turn that into EFAULT.
>>
>> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
>> Signed-off-by: Michal Luczaj <mhal@rbox.co>
>> ---
>>  net/llc/af_llc.c | 8 ++++----
>>  1 file changed, 4 insertions(+), 4 deletions(-)
>>
>> diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
>> index 4eb52add7103b0f83d6fe7318abf1d1af533d254..711c8a7a423f1cf1b03e684a6e23c8eefbab830f 100644
>> --- a/net/llc/af_llc.c
>> +++ b/net/llc/af_llc.c
>> @@ -1096,12 +1096,12 @@ static int llc_ui_setsockopt(struct socket *sock, int level, int optname,
>>  	int rc = -EINVAL;
>>  
>>  	lock_sock(sk);
>> -	if (unlikely(level != SOL_LLC || optlen != sizeof(int)))
>> +	if (unlikely(level != SOL_LLC || optlen != sizeof(opt)))
>>  		goto out;
>> -	rc = copy_from_sockptr(&opt, optval, sizeof(opt));
>> -	if (rc)
>> +	if (copy_from_sockptr(&opt, optval, sizeof(opt))) {
>> +		rc = -EFAULT;
>>  		goto out;
>> -	rc = -EINVAL;
>> +	}
>>  	switch (optname) {
>>  	case LLC_OPT_RETRY:
>>  		if (opt > LLC_OPT_MAX_RETRY)
>>
> 
> Can copy_from_sockptr() be deprecated here in favour of
> copy_safe_from_sockptr()?

Yeah, good point. I'll wait a bit and send v3.

Thanks!
diff mbox series

Patch

diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
index 4eb52add7103b0f83d6fe7318abf1d1af533d254..711c8a7a423f1cf1b03e684a6e23c8eefbab830f 100644
--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ -1096,12 +1096,12 @@  static int llc_ui_setsockopt(struct socket *sock, int level, int optname,
 	int rc = -EINVAL;
 
 	lock_sock(sk);
-	if (unlikely(level != SOL_LLC || optlen != sizeof(int)))
+	if (unlikely(level != SOL_LLC || optlen != sizeof(opt)))
 		goto out;
-	rc = copy_from_sockptr(&opt, optval, sizeof(opt));
-	if (rc)
+	if (copy_from_sockptr(&opt, optval, sizeof(opt))) {
+		rc = -EFAULT;
 		goto out;
-	rc = -EINVAL;
+	}
 	switch (optname) {
 	case LLC_OPT_RETRY:
 		if (opt > LLC_OPT_MAX_RETRY)