Re: [PATCH] ieee802154: verify packet size before trying toallocate it
From: Alan Cox
Date: Sun Jun 10 2012 - 07:21:10 EST
On Sun, 10 Jun 2012 13:10:19 +0200
Sasha Levin <levinsasha928@xxxxxxxxx> wrote:
> Currently when sending data over datagram, the send function will attempt to
> allocate any size passed on from the userspace.
>
> We should make sure that this size is checked and limited. The maximum size
> of an IP packet seemed like the safest limit here.
>
> Signed-off-by: Sasha Levin <levinsasha928@xxxxxxxxx>
> ---
>
> Change in v2:
> - Limit by maximum size the protocol supports.
>
> net/ieee802154/dgram.c | 5 +++++
> 1 files changed, 5 insertions(+), 0 deletions(-)
>
> diff --git a/net/ieee802154/dgram.c b/net/ieee802154/dgram.c
> index 6fbb2ad..628498c 100644
> --- a/net/ieee802154/dgram.c
> +++ b/net/ieee802154/dgram.c
> @@ -232,6 +232,11 @@ static int dgram_sendmsg(struct kiocb *iocb, struct sock *sk,
>
> hlen = LL_RESERVED_SPACE(dev);
> tlen = dev->needed_tailroom;
> + if (hlen + tlen + size > IEEE802154_MTU) {
> + err = -EMSGSIZE;
> + goto out;
What stops an overflow at this point. We'll then pass a small value to
sock_alloc_send_skb/sock_alloc_send_pskb and copy a large number of bytes
into it.
This does seem to be already broken, and not fixed by the patch ?
Alan
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/