Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-09-21 23:43:02 +00:00
Code Issues Packages Projects Releases Wiki Activity
66f6fd278c
linux/net/rxrpc
History
David Howells 66f6fd278c rxrpc: Fix network address validation 
Fix network address validation on entry to uapi functions such as connect()
for AF_RXRPC.  The check for address compatibility with the transport
socket isn't correct and allows an AF_INET6 address to be given to an
AF_INET socket, resulting in an oops now that rxrpc is calling
udp_sendmsg() directly.

Sample program:

	#define _GNU_SOURCE
	#include <stdio.h>
	#include <stdlib.h>
	#include <sys/socket.h>
	#include <arpa/inet.h>
	#include <linux/rxrpc.h>
	static unsigned char ctrl[256] =
		"\x18\x00\x00\x00\x00\x00\x00\x00\x10\x01\x00\x00\x01";
	int main(void)
	{
		struct sockaddr_rxrpc srx = {
			.srx_family			= AF_RXRPC,
			.transport_type			= SOCK_DGRAM,
			.transport_len			= 28,
			.transport.sin6.sin6_family	= AF_INET6,
		};
		struct mmsghdr vec = {
			.msg_hdr.msg_control	= ctrl,
			.msg_hdr.msg_controllen	= 0x18,
		};
		int s;
		s = socket(AF_RXRPC, SOCK_DGRAM, AF_INET);
		if (s < 0) {
			perror("socket");
			exit(1);
		}
		if (connect(s, (struct sockaddr *)&srx, sizeof(srx)) < 0) {
			perror("connect");
			exit(1);
		}
		if (sendmmsg(s, &vec, 1, MSG_NOSIGNAL | MSG_MORE) < 0) {
			perror("sendmmsg");
			exit(1);
		}
		return 0;
	}

If working properly, connect() should fail with EAFNOSUPPORT.

Fixes: ed472b0c87 ("rxrpc: Call udp_sendmsg() directly")
Reported-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: linux-afs@lists.infradead.org
2022-11-16 08:05:11 +00:00
..
af_rxrpc.c rxrpc: Fix network address validation 2022-11-16 08:05:11 +00:00
ar-internal.h rxrpc: Allocate an skcipher each time needed rather than reusing 2022-11-08 16:42:28 +00:00
call_accept.c rxrpc: Fix congestion management 2022-11-08 16:42:28 +00:00
call_event.c rxrpc: Save last ACK's SACK table rather than marking txbufs 2022-11-08 16:42:28 +00:00
call_object.c rxrpc: Fix congestion management 2022-11-08 16:42:28 +00:00
conn_client.c rxrpc: Fix congestion management 2022-11-08 16:42:28 +00:00
conn_event.c rxrpc: Merge prime_packet_security into init_connection_security 2020-11-23 18:09:30 +00:00
conn_object.c rxrpc: Fix congestion management 2022-11-08 16:42:28 +00:00
conn_service.c rxrpc: Use refcount_t rather than atomic_t 2022-05-22 21:03:01 +01:00
input.c rxrpc: Fix congestion management 2022-11-08 16:42:28 +00:00
insecure.c rxrpc: Don't use a ring buffer for call Tx queue 2022-11-08 16:42:28 +00:00
Kconfig net: RxRPC: make dependent Kconfig symbols be shown indented 2021-08-18 10:12:11 +01:00
key.c rxrpc: Fix handling of an unsupported token type in rxrpc_read() 2021-01-13 10:38:00 -08:00
local_event.c rxrpc: Fix a typo 2021-06-02 14:01:55 -07:00
local_object.c rxrpc: Fix missing IPV6 #ifdef 2022-11-14 09:31:55 +00:00
Makefile rxrpc: Define rxrpc_txbuf struct to carry data to be transmitted 2022-11-08 16:42:28 +00:00
misc.c rxrpc: Get rid of the Rx ring 2022-11-08 16:42:28 +00:00
net_ns.c rxrpc: Add stats procfile and DATA packet stats 2022-11-08 16:42:15 +00:00
output.c rxrpc: Fix oops from calling udpv6_sendmsg() on AF_INET socket 2022-11-16 08:05:11 +00:00
peer_event.c rxrpc: Use the core ICMP/ICMP6 parsers 2022-11-08 16:42:28 +00:00
peer_object.c rxrpc: Fix congestion management 2022-11-08 16:42:28 +00:00
proc.c rxrpc: Fix congestion management 2022-11-08 16:42:28 +00:00
protocol.h rxrpc: Clone received jumbo subpackets and queue separately 2022-11-08 16:42:28 +00:00
recvmsg.c rxrpc: Get rid of the Rx ring 2022-11-08 16:42:28 +00:00
rtt.c rxrpc: Fix _usecs_to_jiffies() by using usecs_to_jiffies() 2021-09-24 14:18:34 +01:00
rxkad.c rxrpc: Allocate an skcipher each time needed rather than reusing 2022-11-08 16:42:28 +00:00
security.c rxrpc: Hand server key parsing off to the security class 2020-11-23 18:09:29 +00:00
sendmsg.c rxrpc: Fix congestion management 2022-11-08 16:42:28 +00:00
server_key.c rxrpc: fix some null-ptr-deref bugs in server_key.c 2022-03-31 15:21:31 +02:00
skbuff.c rxrpc: Remove the flags from the rxrpc_skb tracepoint 2022-11-08 16:42:28 +00:00
sysctl.c rxrpc: Get rid of the Rx ring 2022-11-08 16:42:28 +00:00
txbuf.c rxrpc: Don't use a ring buffer for call Tx queue 2022-11-08 16:42:28 +00:00
utils.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 36 2019-05-24 17:27:11 +02:00