net: clamp ->msg_namelen instead of returning an error

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

If kmsg->msg_namelen > sizeof(struct sockaddr_storage) then in the
original code that would lead to memory corruption in the kernel if you
had audit configured. If you didn't have audit configured it was
harmless.

There are some programs such as beta versions of Ruby which use too
large of a buffer and returning an error code breaks them. We should
clamp the ->msg_namelen value instead.

Fixes: 1661bf364ae9 ("net: heap overflow in __audit_sockaddr()")
Reported-by: Eric Wong <normalperson@yhbt.net>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Tested-by: Eric Wong <normalperson@yhbt.net>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Dan Carpenter and committed by

David S. Miller 12 years ago db31c55a ec6f809f

+2 -2

2 changed files

expand all

net

compat.c

socket.c

+1 -1

net/compat.c

··· 72 72 __get_user(kmsg->msg_flags, &umsg->msg_flags)) 73 73 return -EFAULT; 74 74 if (kmsg->msg_namelen > sizeof(struct sockaddr_storage)) 75 - return -EINVAL; 75 + kmsg->msg_namelen = sizeof(struct sockaddr_storage); 76 76 kmsg->msg_name = compat_ptr(tmp1); 77 77 kmsg->msg_iov = compat_ptr(tmp2); 78 78 kmsg->msg_control = compat_ptr(tmp3);

+1 -1

net/socket.c

··· 1973 1973 if (copy_from_user(kmsg, umsg, sizeof(struct msghdr))) 1974 1974 return -EFAULT; 1975 1975 if (kmsg->msg_namelen > sizeof(struct sockaddr_storage)) 1976 - return -EINVAL; 1976 + kmsg->msg_namelen = sizeof(struct sockaddr_storage); 1977 1977 return 0; 1978 1978 } 1979 1979