net: Save and restore msg_namelen in sock_sendmsg

Commit Message

Marc Dionne Dec. 21, 2023, 1:12 p.m. UTC

Commit 86a7e0b69bd5 ("net: prevent rewrite of msg_name in
sock_sendmsg()") made sock_sendmsg save the incoming msg_name pointer
and restore it before returning, to insulate the caller against
msg_name being changed by the called code.  If the address length
was also changed however, we may return with an inconsistent structure
where the length doesn't match the address, and attempts to reuse it may
lead to lost packets.

For example, a kernel that doesn't have commit 1c5950fc6fe9 ("udp6: fix
potential access to stale information") will replace a v4 mapped address
with its ipv4 equivalent, and shorten namelen accordingly from 28 to 16.
If the caller attempts to reuse the resulting msg structure, it will have
the original ipv6 (v4 mapped) address but an incorrect v4 length.

Fixes: 86a7e0b69bd5 ("net: prevent rewrite of msg_name in sock_sendmsg()")
Signed-off-by: Marc Dionne <marc.dionne@auristor.com>
---
 net/socket.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Willem de Bruijn Jan. 3, 2024, 1:38 a.m. UTC | #1

Marc Dionne wrote:
> Commit 86a7e0b69bd5 ("net: prevent rewrite of msg_name in
> sock_sendmsg()") made sock_sendmsg save the incoming msg_name pointer
> and restore it before returning, to insulate the caller against
> msg_name being changed by the called code.  If the address length
> was also changed however, we may return with an inconsistent structure
> where the length doesn't match the address, and attempts to reuse it may
> lead to lost packets.
> 
> For example, a kernel that doesn't have commit 1c5950fc6fe9 ("udp6: fix
> potential access to stale information") will replace a v4 mapped address
> with its ipv4 equivalent, and shorten namelen accordingly from 28 to 16.
> If the caller attempts to reuse the resulting msg structure, it will have
> the original ipv6 (v4 mapped) address but an incorrect v4 length.
> 
> Fixes: 86a7e0b69bd5 ("net: prevent rewrite of msg_name in sock_sendmsg()")
> Signed-off-by: Marc Dionne <marc.dionne@auristor.com>

Reviewed-by: Willem de Bruijn <willemb@google.com>

patchwork-bot+netdevbpf@kernel.org Jan. 3, 2024, 11:40 a.m. UTC | #2

Hello:

This patch was applied to netdev/net.git (main)
by David S. Miller <davem@davemloft.net>:

On Thu, 21 Dec 2023 09:12:30 -0400 you wrote:
> Commit 86a7e0b69bd5 ("net: prevent rewrite of msg_name in
> sock_sendmsg()") made sock_sendmsg save the incoming msg_name pointer
> and restore it before returning, to insulate the caller against
> msg_name being changed by the called code.  If the address length
> was also changed however, we may return with an inconsistent structure
> where the length doesn't match the address, and attempts to reuse it may
> lead to lost packets.
> 
> [...]

Here is the summary with links:
  - net: Save and restore msg_namelen in sock_sendmsg
    https://git.kernel.org/netdev/net/c/01b2885d9415

You are awesome, thank you!

Patch

diff --git a/net/socket.c b/net/socket.c
index 3379c64217a4..89d79205bf50 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -757,6 +757,7 @@  int sock_sendmsg(struct socket *sock, struct msghdr *msg)
 {
 	struct sockaddr_storage *save_addr = (struct sockaddr_storage *)msg->msg_name;
 	struct sockaddr_storage address;
+	int save_len = msg->msg_namelen;
 	int ret;
 
 	if (msg->msg_name) {
@@ -766,6 +767,7 @@  int sock_sendmsg(struct socket *sock, struct msghdr *msg)
 
 	ret = __sock_sendmsg(sock, msg);
 	msg->msg_name = save_addr;
+	msg->msg_namelen = save_len;
 
 	return ret;
 }