RE: [PATCH] Tools: hv: verify origin of netlink connector message

From: KY Srinivasan
Date: Fri Jun 01 2012 - 15:27:56 EST



> -----Original Message-----
> From: Olaf Hering [mailto:olaf@xxxxxxxxx]
> Sent: Thursday, May 31, 2012 10:40 AM
> To: KY Srinivasan; Greg Kroah-Hartman
> Cc: linux-kernel@xxxxxxxxxxxxxxx
> Subject: [PATCH] Tools: hv: verify origin of netlink connector message
>
> The SuSE security team suggested to use recvfrom instead of recv to be
> certain that the connector message is originated from kernel.

Thanks Olaf.

>
> Signed-off-by: Olaf Hering <olaf@xxxxxxxxx>

Signed-off-by: K. Y. Srinivasan <kys@xxxxxxxxxxxxx>

>
> ---
> tools/hv/hv_kvp_daemon.c | 10 +++++++---
> 1 file changed, 7 insertions(+), 3 deletions(-)
>
> Index: linux-3.4/tools/hv/hv_kvp_daemon.c
> ==============================================================
> =====
> --- linux-3.4.orig/tools/hv/hv_kvp_daemon.c
> +++ linux-3.4/tools/hv/hv_kvp_daemon.c
> @@ -701,14 +701,18 @@ int main(void)
> pfd.fd = fd;
>
> while (1) {
> + struct sockaddr *addr_p = (struct sockaddr *) &addr;
> + socklen_t addr_l = sizeof(addr);
> pfd.events = POLLIN;
> pfd.revents = 0;
> poll(&pfd, 1, -1);
>
> - len = recv(fd, kvp_recv_buffer, sizeof(kvp_recv_buffer), 0);
> + len = recvfrom(fd, kvp_recv_buffer, sizeof(kvp_recv_buffer), 0,
> + addr_p, &addr_l);
>
> - if (len < 0) {
> - syslog(LOG_ERR, "recv failed; error:%d", len);
> + if (len < 0 || addr.nl_pid) {
> + syslog(LOG_ERR, "recvfrom failed; pid:%u error:%d %s",
> + addr.nl_pid, errno, strerror(errno));
> close(fd);
> return -1;
> }
>
>

èº{.nÇ+‰·Ÿ®‰­†+%ŠËlzwm…ébëæìr¸›zX§»®w¥Š{ayºÊÚë,j­¢f£¢·hš‹àz¹®w¥¢¸ ¢·¦j:+v‰¨ŠwèjØm¶Ÿÿ¾«‘êçzZ+ƒùšŽŠÝj"ú!¶iO•æ¬z·švØ^¶m§ÿðà nÆàþY&—