[v8,3/5] rxrpc: check return value of skb_to_sgvec always

Message ID	20170511194134.31183-4-Jason@zx2c4.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <kernel-hardening-return-7860-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com> Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk From: "Jason A. Donenfeld" <Jason@zx2c4.com> To: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, davem@davemloft.net, kernel-hardening@lists.openwall.com Cc: "Jason A. Donenfeld" <Jason@zx2c4.com>, David Howells <dhowells@redhat.com> Date: Thu, 11 May 2017 21:41:32 +0200 Message-Id: <20170511194134.31183-4-Jason@zx2c4.com> In-Reply-To: <20170511194134.31183-1-Jason@zx2c4.com> References: <20170511194134.31183-1-Jason@zx2c4.com> Subject: [kernel-hardening] [PATCH v8 3/5] rxrpc: check return value of skb_to_sgvec always

Message ID

20170511194134.31183-4-Jason@zx2c4.com (mailing list archive)

State

New, archived

Headers

Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm
Precedence: bulk
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
	davem@davemloft.net, kernel-hardening@lists.openwall.com
Cc: "Jason A. Donenfeld" <Jason@zx2c4.com>,
	David Howells <dhowells@redhat.com>
Date: Thu, 11 May 2017 21:41:32 +0200
Message-Id: <20170511194134.31183-4-Jason@zx2c4.com>
In-Reply-To: <20170511194134.31183-1-Jason@zx2c4.com>
References: <20170511194134.31183-1-Jason@zx2c4.com>
Subject: [kernel-hardening] [PATCH v8 3/5] rxrpc: check return value of
	skb_to_sgvec always

Comments

David Howells May 15, 2017, 1:11 p.m. UTC | #1

Jason A. Donenfeld <Jason@zx2c4.com> wrote:

> +	if (unlikely(skb_to_sgvec(skb, sg, offset, 8) < 0))
> +		goto nomem;
> ...
> +	if (unlikely(skb_to_sgvec(skb, sg, offset, len) < 0)) {
> +		if (sg != _sg)
> +			kfree(sg);
> +		goto nomem;

skb_to_sgvec() can return -EMSGSIZE in some circumstances.  You shouldn't
return -ENOMEM here in such a case.

David

Jason A. Donenfeld May 16, 2017, 10:11 p.m. UTC | #2

On Mon, May 15, 2017 at 3:11 PM, David Howells <dhowells@redhat.com> wrote:
> skb_to_sgvec() can return -EMSGSIZE in some circumstances.  You shouldn't
> return -ENOMEM here in such a case.

Noted. I'll fix this up for the next round.

diff --git a/net/rxrpc/rxkad.c b/net/rxrpc/rxkad.c
index 1bb9b2ccc267..ecab9334e3c1 100644
--- a/net/rxrpc/rxkad.c
+++ b/net/rxrpc/rxkad.c
@@ -227,7 +227,9 @@  static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call,
 	len &= ~(call->conn->size_align - 1);
 
 	sg_init_table(sg, nsg);
-	skb_to_sgvec(skb, sg, 0, len);
+	err = skb_to_sgvec(skb, sg, 0, len);
+	if (unlikely(err < 0))
+		goto out;
 	skcipher_request_set_crypt(req, sg, sg, len, iv.x);
 	crypto_skcipher_encrypt(req);
 
@@ -342,7 +344,8 @@  static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb,
 		goto nomem;
 
 	sg_init_table(sg, nsg);
-	skb_to_sgvec(skb, sg, offset, 8);
+	if (unlikely(skb_to_sgvec(skb, sg, offset, 8) < 0))
+		goto nomem;
 
 	/* start the decryption afresh */
 	memset(&iv, 0, sizeof(iv));
@@ -434,7 +437,11 @@  static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb,
 	}
 
 	sg_init_table(sg, nsg);
-	skb_to_sgvec(skb, sg, offset, len);
+	if (unlikely(skb_to_sgvec(skb, sg, offset, len) < 0)) {
+		if (sg != _sg)
+			kfree(sg);
+		goto nomem;
+	}
 
 	/* decrypt from the session key */
 	token = call->conn->params.key->payload.data[0];

[v8,3/5] rxrpc: check return value of skb_to_sgvec always

Commit Message

Comments

Patch