| From 310bef8283723a9db9db4a381b2312b504d7493f Mon Sep 17 00:00:00 2001 |
| From: Jason Wang <jasowang@redhat.com> |
| Date: Wed, 30 May 2012 21:18:10 +0000 |
| Subject: [PATCH 1/4] net: sock: validate data_len before allocating skb in |
| sock_alloc_send_pskb() |
| |
| commit cc9b17ad29ecaa20bfe426a8d4dbfb94b13ff1cc upstream. |
| |
| We need to validate the number of pages consumed by data_len, otherwise frags |
| array could be overflowed by userspace. So this patch validate data_len and |
| return -EMSGSIZE when data_len may occupies more frags than MAX_SKB_FRAGS. |
| |
| Signed-off-by: Jason Wang <jasowang@redhat.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| --- |
| net/core/sock.c | 7 +++++-- |
| 1 file changed, 5 insertions(+), 2 deletions(-) |
| |
| diff --git a/net/core/sock.c b/net/core/sock.c |
| index 78b7087..4b45ad8 100644 |
| --- a/net/core/sock.c |
| +++ b/net/core/sock.c |
| @@ -1425,6 +1425,11 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len, |
| gfp_t gfp_mask; |
| long timeo; |
| int err; |
| + int npages = (data_len + (PAGE_SIZE - 1)) >> PAGE_SHIFT; |
| + |
| + err = -EMSGSIZE; |
| + if (npages > MAX_SKB_FRAGS) |
| + goto failure; |
| |
| gfp_mask = sk->sk_allocation; |
| if (gfp_mask & __GFP_WAIT) |
| @@ -1443,14 +1448,12 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len, |
| if (atomic_read(&sk->sk_wmem_alloc) < sk->sk_sndbuf) { |
| skb = alloc_skb(header_len, gfp_mask); |
| if (skb) { |
| - int npages; |
| int i; |
| |
| /* No pages, we're done... */ |
| if (!data_len) |
| break; |
| |
| - npages = (data_len + (PAGE_SIZE - 1)) >> PAGE_SHIFT; |
| skb->truesize += data_len; |
| skb_shinfo(skb)->nr_frags = npages; |
| for (i = 0; i < npages; i++) { |
| -- |
| 1.7.12.rc2 |
| |