mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-12 13:55:32 +00:00
Code Issues Releases Wiki Activity
linux-stable/net
History
Paul Moore 89d7ae34cd cipso: don't follow a NULL pointer when setsockopt() is called 
As reported by Alan Cox, and verified by Lin Ming, when a user
attempts to add a CIPSO option to a socket using the CIPSO_V4_TAG_LOCAL
tag the kernel dies a terrible death when it attempts to follow a NULL
pointer (the skb argument to cipso_v4_validate() is NULL when called via
the setsockopt() syscall).

This patch fixes this by first checking to ensure that the skb is
non-NULL before using it to find the incoming network interface.  In
the unlikely case where the skb is NULL and the user attempts to add
a CIPSO option with the _TAG_LOCAL tag we return an error as this is
not something we want to allow.

A simple reproducer, kindly supplied by Lin Ming, although you must
have the CIPSO DOI #3 configure on the system first or you will be
caught early in cipso_v4_validate():

	#include <sys/types.h>
	#include <sys/socket.h>
	#include <linux/ip.h>
	#include <linux/in.h>
	#include <string.h>

	struct local_tag {
		char type;
		char length;
		char info[4];
	};

	struct cipso {
		char type;
		char length;
		char doi[4];
		struct local_tag local;
	};

	int main(int argc, char **argv)
	{
		int sockfd;
		struct cipso cipso = {
			.type = IPOPT_CIPSO,
			.length = sizeof(struct cipso),
			.local = {
				.type = 128,
				.length = sizeof(struct local_tag),
			},
		};

		memset(cipso.doi, 0, 4);
		cipso.doi[3] = 3;

		sockfd = socket(AF_INET, SOCK_DGRAM, 0);
		#define SOL_IP 0
		setsockopt(sockfd, SOL_IP, IP_OPTIONS,
			&cipso, sizeof(struct cipso));

		return 0;
	}

CC: Lin Ming <mlin@ss.pku.edu.cn>
Reported-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2012-07-18 09:01:12 -07:00
..
9p Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2012-06-28 11:20:31 -07:00
802 tokenring: delete all remaining driver support 2012-05-15 20:23:16 -04:00
8021q net: Fix memory leak - vlan_info struct 2012-07-10 23:32:27 -07:00
appletalk appletalk: Remove out of date message in printk 2012-06-07 13:11:59 -07:00
atm Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2012-05-22 19:22:50 -07:00
ax25 ax25: Fix missing break 2012-07-16 23:22:36 -07:00
batman-adv batman-adv: check incoming packet type for bla 2012-07-06 00:08:46 +02:00
bluetooth Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2012-06-28 11:20:31 -07:00
bridge bridge: Assign rtnl_link_ops to bridge devices created via ioctl (v2) 2012-06-26 21:12:32 -07:00
caif caif: Fix access to freed pernet memory 2012-07-16 23:06:20 -07:00
can net: remove skb_orphan_try() 2012-06-15 15:30:15 -07:00
ceph libceph: flush msgr queue during mon_client shutdown 2012-06-20 07:43:50 -05:00
core net: cgroup: fix access the unallocated memory in netprio cgroup 2012-07-16 23:00:43 -07:00
dcb
dccp net: include/net/sock.h cleanup 2012-05-17 04:50:21 -04:00
decnet net: Convert net_ratelimit uses to net_<level>_ratelimited 2012-05-15 13:45:03 -04:00
dns_resolver Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2012-05-21 20:27:36 -07:00
dsa dsa: Convert compare_ether_addr to ether_addr_equal 2012-05-09 20:49:19 -04:00
ethernet net, drivers/net: Convert compare_ether_addr_64bits to ether_addr_equal_64bits 2012-05-10 23:33:01 -04:00
ieee802154 ieee802154: verify packet size before trying to allocate it 2012-07-08 23:49:30 -07:00
ipv4 cipso: don't follow a NULL pointer when setsockopt() is called 2012-07-18 09:01:12 -07:00
ipv6 tcp: heed result of security_inet_conn_request() in tcp_v6_conn_request() 2012-06-25 16:05:19 -07:00
ipx ipx: Remove spurious NULL checking in ipx_ioctl(). 2012-05-19 00:51:04 -04:00
irda
iucv net: remove skb_orphan_try() 2012-06-15 15:30:15 -07:00
key
l2tp net: l2tp_eth: use LLTX to avoid LOCKDEP splats 2012-06-26 16:42:33 -07:00
lapb lapb: Neaten debugging 2012-05-17 18:45:20 -04:00
llc net: include/net/sock.h cleanup 2012-05-17 04:50:21 -04:00
mac80211 mac80211: destroy assoc_data correctly if assoc fails 2012-07-09 15:01:00 -04:00
mac802154 mac802154: add missed braces 2012-06-25 16:35:30 -07:00
netfilter ipvs: fix oops in ip_vs_dst_event on rmmod 2012-07-17 12:00:58 +02:00
netlabel
netlink genetlink: Build a generic netlink family module alias 2012-05-29 22:33:56 -04:00
netrom
nfc NFC: Prevent NULL deref when getting socket name 2012-07-09 15:01:00 -04:00
openvswitch Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2012-05-16 22:17:37 -04:00
packet
phonet net: remove my future former mail address 2012-06-17 16:29:38 -07:00
rds rds_rdma: don't assume infiniband device is PCI 2012-05-29 17:30:07 -04:00
rfkill
rose
rxrpc net/rxrpc/ar-peer.c: remove invalid reference to list iterator variable 2012-07-09 15:24:33 -07:00
sched sch_sfb: Fix missing NULL check 2012-07-12 08:33:18 -07:00
sctp sctp: Fix list corruption resulting from freeing an association on a list 2012-07-16 22:32:26 -07:00
sunrpc NFS client bugfixes for Linux 3.5 2012-06-15 17:37:23 -07:00
tipc
unix
wanrouter net/wanrouter: Deprecate and schedule for removal 2012-05-24 16:22:53 -04:00
wimax
wireless cfg80211: fix potential deadlock in regulatory 2012-06-13 10:17:53 +02:00
x25
xfrm ipv6: fix incorrect ipsec fragment 2012-05-27 01:11:22 -04:00
compat.c Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2012-05-21 20:27:36 -07:00
Kconfig net: drop NET dependency from HAVE_BPF_JIT 2012-05-21 12:50:12 -07:00
Makefile econet: remove ancient bug ridden protocol 2012-05-18 01:35:08 -04:00
nonet.c
socket.c Merge branch 'for-3.5' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/percpu 2012-05-22 17:37:47 -07:00
sysctl_net.c net: delete all instances of special processing for token ring 2012-05-15 20:14:35 -04:00