linux/net
Neil Horman 55888dfb6b AF_RAW: Augment raw_send_hdrinc to expand skb to fit iphdr->ihl (v2)
Augment raw_send_hdrinc to correct for incorrect ip header length values

A series of oopses was reported to me recently.  Apparently when using AF_RAW
sockets to send data to peers that were reachable via ipsec encapsulation,
people could panic or BUG halt their systems.

I've tracked the problem down to user space sending an invalid ip header over an
AF_RAW socket with IP_HDRINCL set to 1.

Basically what happens is that userspace sends down an ip frame that includes
only the header (no data), but sets the ip header ihl value to a large number,
one that is larger than the total amount of data passed to the sendmsg call.  In
raw_send_hdrincl, we allocate an skb based on the size of the data in the msghdr
that was passed in, but assume the data is all valid.  Later during ipsec
encapsulation, xfrm4_tranport_output moves the entire frame back in the skbuff
to provide headroom for the ipsec headers.  During this operation, the
skb->transport_header is repointed to a spot computed by
skb->network_header + the ip header length (ihl).  Since so little data was
passed in relative to the value of ihl provided by the raw socket, we point
transport header to an unknown location, resulting in various crashes.

This fix for this is pretty straightforward, simply validate the value of of
iph->ihl when sending over a raw socket.  If (iph->ihl*4U) > user data buffer
size, drop the frame and return -EINVAL.  I just confirmed this fixes the
reported crashes.

Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-10-29 01:09:58 -07:00
..
9p virtio: add virtio IDs file 2009-09-23 22:26:32 +09:30
802 net: remove COMPAT_NET_DEV_OPS 2009-05-25 01:53:53 -07:00
8021q net: fix vlan_get_size to include vlan_flags size 2009-09-26 20:16:07 -07:00
appletalk Have atalk_route_packet() return NET_RX_SUCCESS not NET_XMIT_SUCCESS 2009-09-14 17:02:47 -07:00
atm net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
ax25 ax25: Fix possible oops in ax25_make_new 2009-09-30 16:44:12 -07:00
bluetooth bluetooth: static lock key fix 2009-10-19 19:36:49 -07:00
bridge bridge: Fix double-free in br_add_if. 2009-09-28 12:54:25 -07:00
can net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
core pktgen: Dont leak kernel memory 2009-10-24 06:55:20 -07:00
dcb net: fix double skb free in dcbnl 2009-09-26 20:16:15 -07:00
dccp net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
decnet net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
dsa netdev: convert pseudo-devices to netdev_tx_t 2009-09-01 01:13:07 -07:00
econet Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2009-08-12 17:44:53 -07:00
ethernet net: remove COMPAT_NET_DEV_OPS 2009-05-25 01:53:53 -07:00
ieee802154 net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
ipv4 AF_RAW: Augment raw_send_hdrinc to expand skb to fit iphdr->ihl (v2) 2009-10-29 01:09:58 -07:00
ipv6 net: Fix IP_MULTICAST_IF 2009-10-19 21:34:20 -07:00
ipx net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
irda net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
iucv net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
key net: file_operations should be const 2009-09-02 01:03:53 -07:00
lapb net: remove NET_RX_BAD and NET_RX_CN* defines 2009-07-05 19:15:35 -07:00
llc net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
mac80211 mac80211: fix for incorrect sequence number on hostapd injected frames 2009-10-27 16:29:48 -04:00
netfilter net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
netlabel Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2009-07-30 19:22:43 -07:00
netlink net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
netrom net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
packet net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
phonet Phonet: fix mutex imbalance 2009-09-30 16:41:34 -07:00
rds net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
rfkill rfkill: add the GPS radio type 2009-08-04 16:44:23 -04:00
rose net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
rxrpc net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
sched pkt_sched: pedit use proper struct 2009-10-11 23:03:47 -07:00
sctp net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
sunrpc net: fix htmldocs sunrpc, clnt.c 2009-09-24 15:39:14 -07:00
tipc net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
unix AF_UNIX: Fix deadlock on connecting to shutdown socket 2009-10-18 23:17:37 -07:00
wanrouter headers: smp_lock.h redux 2009-07-12 12:22:34 -07:00
wimax wimax: fix warning caused by not checking retval of rfkill_set_hw_state() 2009-06-11 11:12:48 -07:00
wireless cfg80211: sme: deauthenticate on assoc failure 2009-10-27 16:29:47 -04:00
x25 net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
xfrm net: file_operations should be const 2009-09-02 01:03:53 -07:00
compat.c net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
Kconfig net/compat/wext: send different messages to compat tasks 2009-07-15 08:53:39 -07:00
Makefile net: remove redundant sched/ in net/Makefile 2009-07-12 20:11:14 -07:00
nonet.c
socket.c net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
sysctl_net.c net: sysctl_net - use net_eq to compare nets 2009-03-16 16:23:30 +01:00
TUNABLE