diff mbox series

[net] ipv6: raw: check passed optlen before reading

Message ID 20211229200947.2862255-1-willemdebruijn.kernel@gmail.com (mailing list archive)
State Accepted
Commit fb7bc9204095090731430c8921f9e629740c110a
Delegated to: Netdev Maintainers
Headers show
Series [net] ipv6: raw: check passed optlen before reading | expand

Checks

Context Check Description
netdev/tree_selection success Clearly marked for net
netdev/fixes_present fail Series targets non-next tree, but doesn't contain any Fixes tags
netdev/subject_prefix success Link
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/cc_maintainers warning 2 maintainers not CCed: dsahern@kernel.org yoshfuji@linux-ipv6.org
netdev/build_clang success Errors and warnings before: 0 this patch: 0
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 0 this patch: 0
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 9 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Willem de Bruijn Dec. 29, 2021, 8:09 p.m. UTC 
From: Tamir Duberstein <tamird@gmail.com>

Add a check that the user-provided option is at least as long as the
number of bytes we intend to read. Before this patch we would blindly
read sizeof(int) bytes even in cases where the user passed
optlen<sizeof(int), which would potentially read garbage or fault.

Discovered by new tests in https://github.com/google/gvisor/pull/6957 .

The original get_user call predates history in the git repo.

Signed-off-by: Tamir Duberstein <tamird@gmail.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
---
 net/ipv6/raw.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

patchwork-bot+netdevbpf@kernel.org Dec. 29, 2021, 10:20 p.m. UTC | #1 
Hello:

This patch was applied to netdev/net.git (master)
by Jakub Kicinski <kuba@kernel.org>:

On Wed, 29 Dec 2021 15:09:47 -0500 you wrote:
> From: Tamir Duberstein <tamird@gmail.com>
> 
> Add a check that the user-provided option is at least as long as the
> number of bytes we intend to read. Before this patch we would blindly
> read sizeof(int) bytes even in cases where the user passed
> optlen<sizeof(int), which would potentially read garbage or fault.
> 
> [...]

Here is the summary with links:
  - [net] ipv6: raw: check passed optlen before reading
    https://git.kernel.org/netdev/net/c/fb7bc9204095

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index 60f1e4f5be5a..c51d5ce3711c 100644
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -1020,6 +1020,9 @@  static int do_rawv6_setsockopt(struct sock *sk, int level, int optname,
 	struct raw6_sock *rp = raw6_sk(sk);
 	int val;
 
+	if (optlen < sizeof(val))
+		return -EINVAL;
+
 	if (copy_from_sockptr(&val, optval, sizeof(val)))
 		return -EFAULT;