This is a note to let you know that I've just added the patch titled
net: add BUG_ON if kernel advertises msg_namelen > sizeof(struct
sockaddr_storage)
to the 3.12-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
net-add-bug_on-if-kernel-advertises-msg_namelen-sizeof-struct-sockaddr_storage.patch
and it can be found in the queue-3.12 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.
>From foo@baz Thu Dec 5 16:16:39 PST 2013
From: Hannes Frederic Sowa <[email protected]>
Date: Thu, 21 Nov 2013 03:14:34 +0100
Subject: net: add BUG_ON if kernel advertises msg_namelen > sizeof(struct
sockaddr_storage)
From: Hannes Frederic Sowa <[email protected]>
[ Upstream commit 68c6beb373955da0886d8f4f5995b3922ceda4be ]
In that case it is probable that kernel code overwrote part of the
stack. So we should bail out loudly here.
The BUG_ON may be removed in future if we are sure all protocols are
conformant.
Suggested-by: Eric Dumazet <[email protected]>
Signed-off-by: Hannes Frederic Sowa <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/socket.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/socket.c
+++ b/net/socket.c
@@ -221,12 +221,13 @@ static int move_addr_to_user(struct sock
int err;
int len;
+ BUG_ON(klen > sizeof(struct sockaddr_storage));
err = get_user(len, ulen);
if (err)
return err;
if (len > klen)
len = klen;
- if (len < 0 || len > sizeof(struct sockaddr_storage))
+ if (len < 0)
return -EINVAL;
if (len) {
if (audit_sockaddr(klen, kaddr))
Patches currently in stable-queue which might be from
[email protected] are
queue-3.12/ipv6-fix-inet6_init-cleanup-order.patch
queue-3.12/ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch
queue-3.12/ping-prevent-null-pointer-dereference-on-write-to-msg_name.patch
queue-3.12/inet-prevent-leakage-of-uninitialized-memory-to-user-in-recv-syscalls.patch
queue-3.12/net-rework-recvmsg-handler-msg_name-and-msg_namelen-logic.patch
queue-3.12/ipv6-fix-possible-seqlock-deadlock-in-ip6_finish_output2.patch
queue-3.12/net-add-bug_on-if-kernel-advertises-msg_namelen-sizeof-struct-sockaddr_storage.patch
queue-3.12/ipv6-use-rt6_get_dflt_router-to-get-default-router-in.patch
queue-3.12/random32-fix-off-by-one-in-seeding-requirement.patch
queue-3.12/inet-fix-possible-seqlock-deadlocks.patch
queue-3.12/inet-fix-addr_len-msg-msg_namelen-assignment-in-recv_error-and-rxpmtu-functions.patch
queue-3.12/ipv6-protect-for_each_sk_fl_rcu-in-mem_check-with.patch
queue-3.12/ipv6-fix-leaking-uninitialized-port-number-of-offender-sockaddr.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
