diff options
author | Meng Xu <mengxu.gatech@gmail.com> | 2017-09-19 13:19:13 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2017-09-20 15:36:18 -0700 |
commit | c2a64bb9fcd31c39feddf30748b4ee8d82e53c6a (patch) | |
tree | bae30a193cb370d73f658d404cbfef45882f0a77 /net/core | |
parent | ec9dd352d591f0c90402ec67a317c1ed4fb2e638 (diff) | |
download | linux-c2a64bb9fcd31c39feddf30748b4ee8d82e53c6a.tar.bz2 |
net: compat: assert the size of cmsg copied in is as expected
The actual length of cmsg fetched in during the second loop
(i.e., kcmsg - kcmsg_base) could be different from what we
get from the first loop (i.e., kcmlen).
The main reason is that the two get_user() calls in the two
loops (i.e., get_user(ucmlen, &ucmsg->cmsg_len) and
__get_user(ucmlen, &ucmsg->cmsg_len)) could cause ucmlen
to have different values even they fetch from the same userspace
address, as user can race to change the memory content in
&ucmsg->cmsg_len across fetches.
Although in the second loop, the sanity check
if ((char *)kcmsg_base + kcmlen - (char *)kcmsg < CMSG_ALIGN(tmp))
is inplace, it only ensures that the cmsg fetched in during the
second loop does not exceed the length of kcmlen, but not
necessarily equal to kcmlen. But indicated by the assignment
kmsg->msg_controllen = kcmlen, we should enforce that.
This patch adds this additional sanity check and ensures that
what is recorded in kmsg->msg_controllen is the actual cmsg length.
Signed-off-by: Meng Xu <mengxu.gatech@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/core')
0 files changed, 0 insertions, 0 deletions