diff mbox series

[net,2/4] llc: Improve setsockopt() handling of malformed user input

Message ID 20241115-sockptr-copy-fixes-v1-2-d183c87fcbd5@rbox.co (mailing list archive)
State Superseded
Headers show
Series net: Fix some callers of copy_from_sockptr() | expand

Checks

Context Check Description
tedd_an/pre-ci_am success Success
tedd_an/SubjectPrefix fail "Bluetooth: " prefix is not specified in the subject

Commit Message

Michal Luczaj Nov. 14, 2024, 11:27 p.m. UTC 
copy_from_sockptr()'s non-zero result represents the number of bytes that
could not be copied. Turn that into EFAULT.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Michal Luczaj <mhal@rbox.co>
---
 net/llc/af_llc.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

Comments

Michal Luczaj Nov. 15, 2024, 1:31 p.m. UTC | #1 
On 11/15/24 00:27, Michal Luczaj wrote:
> copy_from_sockptr()'s non-zero result represents the number of bytes that
> could not be copied. Turn that into EFAULT.
> 
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Michal Luczaj <mhal@rbox.co>
> ---
>  net/llc/af_llc.c | 15 ++++++++-------
>  1 file changed, 8 insertions(+), 7 deletions(-)
> 
> diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
> index 4eb52add7103b0f83d6fe7318abf1d1af533d254..c4febedd1ca0e959dcecea524df37eb328bd626d 100644
> --- a/net/llc/af_llc.c
> +++ b/net/llc/af_llc.c
> @@ -1093,15 +1093,17 @@ static int llc_ui_setsockopt(struct socket *sock, int level, int optname,
>  	struct sock *sk = sock->sk;
>  	struct llc_sock *llc = llc_sk(sk);
>  	unsigned int opt;
> -	int rc = -EINVAL;
> +	int rc = 0;
>  
>  	lock_sock(sk);
> -	if (unlikely(level != SOL_LLC || optlen != sizeof(int)))
> +	if (unlikely(level != SOL_LLC || optlen != sizeof(opt))) {
> +		rc = -EINVAL;
>  		goto out;
> -	rc = copy_from_sockptr(&opt, optval, sizeof(opt));
> -	if (rc)
> +	}
> +	if (copy_from_sockptr(&opt, optval, sizeof(opt))) {
> +		rc = -EFAULT;
>  		goto out;
> -	rc = -EINVAL;
> +	}
>  	switch (optname) {
>  	case LLC_OPT_RETRY:
>  		if (opt > LLC_OPT_MAX_RETRY)
> @@ -1151,9 +1153,8 @@ static int llc_ui_setsockopt(struct socket *sock, int level, int optname,
>  		break;
>  	default:
>  		rc = -ENOPROTOOPT;
> -		goto out;
> +		break;
>  	}
> -	rc = 0;
>  out:
>  	release_sock(sk);
>  	return rc;
> 

Great, I broke it in a worse way: on bad input all the checks under the
switch would silently fail. Apologies, here is v2:
https://lore.kernel.org/netdev/20241115-sockptr-copy-fixes-v2-0-9b1254c18b7a@rbox.co/

Michal

PS. Ugh, and I've just realized; sorry for forgetting about the "wait 24h
before re-submitting" rule...
diff mbox series

Patch

diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
index 4eb52add7103b0f83d6fe7318abf1d1af533d254..c4febedd1ca0e959dcecea524df37eb328bd626d 100644
--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ -1093,15 +1093,17 @@  static int llc_ui_setsockopt(struct socket *sock, int level, int optname,
 	struct sock *sk = sock->sk;
 	struct llc_sock *llc = llc_sk(sk);
 	unsigned int opt;
-	int rc = -EINVAL;
+	int rc = 0;
 
 	lock_sock(sk);
-	if (unlikely(level != SOL_LLC || optlen != sizeof(int)))
+	if (unlikely(level != SOL_LLC || optlen != sizeof(opt))) {
+		rc = -EINVAL;
 		goto out;
-	rc = copy_from_sockptr(&opt, optval, sizeof(opt));
-	if (rc)
+	}
+	if (copy_from_sockptr(&opt, optval, sizeof(opt))) {
+		rc = -EFAULT;
 		goto out;
-	rc = -EINVAL;
+	}
 	switch (optname) {
 	case LLC_OPT_RETRY:
 		if (opt > LLC_OPT_MAX_RETRY)
@@ -1151,9 +1153,8 @@  static int llc_ui_setsockopt(struct socket *sock, int level, int optname,
 		break;
 	default:
 		rc = -ENOPROTOOPT;
-		goto out;
+		break;
 	}
-	rc = 0;
 out:
 	release_sock(sk);
 	return rc;