mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-28 21:33:52 +00:00
netrom: fix info-leak in nr_write_internal()
[ Upstream commit31642e7089
] Simon Kapadia reported the following issue: <quote> The Online Amateur Radio Community (OARC) has recently been experimenting with building a nationwide packet network in the UK. As part of our experimentation, we have been testing out packet on 300bps HF, and playing with net/rom. For HF packet at this baud rate you really need to make sure that your MTU is relatively low; AX.25 suggests a PACLEN of 60, and a net/rom PACLEN of 40 to go with that. However the Linux net/rom support didn't work with a low PACLEN; the mkiss module would truncate packets if you set the PACLEN below about 200 or so, e.g.: Apr 19 14:00:51 radio kernel: [12985.747310] mkiss: ax1: truncating oversized transmit packet! This didn't make any sense to me (if the packets are smaller why would they be truncated?) so I started investigating. I looked at the packets using ethereal, and found that many were just huge compared to what I would expect. A simple net/rom connection request packet had the request and then a bunch of what appeared to be random data following it: </quote> Simon provided a patch that I slightly revised: Not only we must not use skb_tailroom(), we also do not want to count NR_NETWORK_LEN twice. Fixes:1da177e4c3
("Linux-2.6.12-rc2") Co-Developed-by: Simon Kapadia <szymon@kapadia.pl> Signed-off-by: Simon Kapadia <szymon@kapadia.pl> Signed-off-by: Eric Dumazet <edumazet@google.com> Tested-by: Simon Kapadia <szymon@kapadia.pl> Reviewed-by: Simon Horman <simon.horman@corigine.com> Link: https://lore.kernel.org/r/20230524141456.1045467-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
parent
232e04aa3f
commit
38836ee24e
1 changed files with 4 additions and 3 deletions
|
@ -126,7 +126,7 @@ void nr_write_internal(struct sock *sk, int frametype)
|
||||||
unsigned char *dptr;
|
unsigned char *dptr;
|
||||||
int len, timeout;
|
int len, timeout;
|
||||||
|
|
||||||
len = NR_NETWORK_LEN + NR_TRANSPORT_LEN;
|
len = NR_TRANSPORT_LEN;
|
||||||
|
|
||||||
switch (frametype & 0x0F) {
|
switch (frametype & 0x0F) {
|
||||||
case NR_CONNREQ:
|
case NR_CONNREQ:
|
||||||
|
@ -144,7 +144,8 @@ void nr_write_internal(struct sock *sk, int frametype)
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((skb = alloc_skb(len, GFP_ATOMIC)) == NULL)
|
skb = alloc_skb(NR_NETWORK_LEN + len, GFP_ATOMIC);
|
||||||
|
if (!skb)
|
||||||
return;
|
return;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -152,7 +153,7 @@ void nr_write_internal(struct sock *sk, int frametype)
|
||||||
*/
|
*/
|
||||||
skb_reserve(skb, NR_NETWORK_LEN);
|
skb_reserve(skb, NR_NETWORK_LEN);
|
||||||
|
|
||||||
dptr = skb_put(skb, skb_tailroom(skb));
|
dptr = skb_put(skb, len);
|
||||||
|
|
||||||
switch (frametype & 0x0F) {
|
switch (frametype & 0x0F) {
|
||||||
case NR_CONNREQ:
|
case NR_CONNREQ:
|
||||||
|
|
Loading…
Reference in a new issue