Thread (6 messages) 6 messages, 3 authors, 2013-02-27

Re: [PATCH] net: af_packet: Validate parameter size for PACKET_HDRLEN control message

From: Daniel Borkmann <hidden>
Date: 2013-02-27 20:22:25 

On 02/27/2013 08:46 PM, Guenter Roeck wrote:
quoted hunk ↗ jump to hunk
Building af_packet may fail with

In function ‘copy_from_user’,
     inlined from ‘packet_getsockopt’ at
     net/packet/af_packet.c:3215:21:
arch/x86/include/asm/uaccess_32.h:211:26: error: call to
     ‘copy_from_user_overflow’ declared with attribute error: copy_from_user()
     buffer size is not provably correct

if built with W=1 due to a missing parameter size validation.

Signed-off-by: Guenter Roeck <linux@roeck-us.net>
---
  net/packet/af_packet.c |    2 ++
  1 file changed, 2 insertions(+)

diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index c7bfeff..1976b23 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -3210,6 +3210,8 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
  		val = po->tp_version;
  		break;
  	case PACKET_HDRLEN:
+		if (len < sizeof(int))
+			return -EINVAL;
I think this could break some user space applications here, those who e.g. only pass
an uint16_t to packet_getsockopt with PACKET_HDRLEN.

  		if (len > sizeof(int))
  			len = sizeof(int);
  		if (copy_from_user(&val, optval, len))
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help