WSL2-Linux-Kernel/net
Richard Alpe ddb3712552 tipc: safely copy UDP netlink data from user
The netlink policy for TIPC_NLA_UDP_LOCAL and TIPC_NLA_UDP_REMOTE
is of type binary with a defined length. This causes the policy
framework to threat the defined length as maximum length.

There is however no protection against a user sending a smaller
amount of data. Prior to this patch this wasn't handled which could
result in a partially incomplete sockaddr_storage struct containing
uninitialized data.

In this patch we use nla_memcpy() when copying the user data. This
ensures a potential gap at the end is cleared out properly.

This was found by Julia with Coccinelle tool.

Reported-by: Daniel Borkmann <daniel@iogearbox.net>
Reported-by: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: Richard Alpe <richard.alpe@ericsson.com>
Acked-by: Jon Maloy <jon.maloy@ericsson.com>
Reviewed-by: Erik Hugne <erik.hugne@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-03-06 22:54:57 -05:00
..
6lowpan 6lowpan: iphc: fix invalid case handling 2016-02-26 09:08:15 +01:00
9p Rework and error handling fixes, primarily in the fscatch and fd transports. 2016-01-24 12:39:09 -08:00
802
8021q net: 8021q: use __ethtool_get_ksettings 2016-02-25 22:06:46 -05:00
appletalk appletalk: fix erroneous return value 2016-02-18 14:59:34 -05:00
atm net: Generalise wq_has_sleeper helper 2015-11-30 14:47:33 -05:00
ax25 net: add validation for the socket syscall protocol argument 2015-12-14 16:09:30 -05:00
batman-adv batman-adv: clarify CFG80211 dependency 2016-03-02 13:45:47 -05:00
bluetooth Bluetooth: hci_core: cancel power off delayed work properly 2016-02-23 20:29:38 +01:00
bridge net: remove skb_sender_cpu_clear() 2016-03-01 17:36:47 -05:00
caif net: caif: fix erroneous return value 2016-02-18 14:59:35 -05:00
can can: avoid using timeval for uapi 2015-10-13 17:42:34 +02:00
ceph libceph: MOSDOpReply v7 encoding 2016-02-04 18:26:08 +01:00
core net/rtnetlink: remove dead code 2016-03-02 15:00:55 -05:00
dcb net/dcb: make dcbnl.c explicitly non-modular 2015-10-09 07:52:27 -07:00
dccp Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-02-23 00:09:14 -05:00
decnet net: add validation for the socket syscall protocol argument 2015-12-14 16:09:30 -05:00
dns_resolver net: dns_resolver: convert time_t to time64_t 2015-11-18 16:27:46 -05:00
dsa net: dsa: support VLAN filtering switchdev attr 2016-03-01 16:24:51 -05:00
ethernet eth: Pull header from first fragment via eth_get_headlen 2016-02-24 13:58:05 -05:00
hsr net/hsr: fix a warning message 2015-11-23 14:56:15 -05:00
ieee802154 ieee802154: 6lowpan: fix return of netdev notifier 2016-02-23 20:29:40 +01:00
ipv4 net/ipv4: remove left over dead code 2016-03-02 15:00:55 -05:00
ipv6 net: ipv6: Fix refcnt on host routes 2016-03-03 17:26:18 -05:00
ipx net: Pass kern from net_proto_family.create to sk_alloc 2015-05-11 10:50:17 -04:00
irda irda: fix a potential use-after-free in ircomm_param_request 2016-01-29 22:56:46 -08:00
iucv af_iucv: Validate socket address length in iucv_sock_bind() 2016-01-19 14:21:08 -05:00
key af_key: fix two typos 2015-10-23 03:05:19 -07:00
l2tp Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-02-23 00:09:14 -05:00
l3mdev net: l3mdev: address selection should only consider devices in L3 domain 2016-02-26 14:22:26 -05:00
lapb
llc af_llc: fix types on llc_ui_wait_for_conn 2016-02-17 16:12:13 -05:00
mac80211 mac80211: use reset to set header pointer 2016-03-04 22:45:13 -05:00
mac802154 mac802154: Fixes kernel oops when unloading a radio driver 2016-02-23 20:29:40 +01:00
mpls mpls: autoload lwt module 2016-02-21 22:00:28 -05:00
netfilter net: remove skb_sender_cpu_clear() 2016-03-01 17:36:47 -05:00
netlabel netlink: implement nla_put_in_addr and nla_put_in6_addr 2015-03-31 13:58:35 -04:00
netlink nfnetlink: Revert "nfnetlink: add support for memory mapped netlink" 2016-02-18 11:42:22 -05:00
netrom netfilter: Remove spurios included of netfilter.h 2015-06-18 21:14:32 +02:00
nfc NFC 4.5 pull request 2016-01-04 21:48:15 -05:00
openvswitch ovs: propagate per dp max headroom to all vports 2016-03-01 15:54:30 -05:00
packet net: core: use __ethtool_get_ksettings 2016-02-25 22:06:47 -05:00
phonet sock: struct proto hash function may error 2016-02-11 03:54:14 -05:00
rds RDS: IB: Support Fastreg MR (FRMR) memory registration mode 2016-03-02 14:13:19 -05:00
rfkill Here's another round of updates for -next: 2016-03-01 17:03:27 -05:00
rose Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-06-24 02:58:51 -07:00
rxrpc rxrpc: Don't try to map ICMP to error as the lower layer already did that 2016-03-04 16:02:03 +00:00
sched act_ife: fix a typo in kmemdup() parameters 2016-03-06 22:43:44 -05:00
sctp net: sctp: Convert log timestamps to be y2038 safe 2016-03-01 17:18:44 -05:00
sunrpc Initial roundup of 4.5 merge window patches 2016-01-23 18:45:06 -08:00
switchdev switchdev: Require RTNL mutex to be held when sending FDB notifications 2016-01-28 16:21:31 -08:00
tipc tipc: safely copy UDP netlink data from user 2016-03-06 22:54:57 -05:00
unix Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-02-23 00:09:14 -05:00
vmw_vsock vsock: Fix blocking ops call in prepare_to_wait 2016-02-13 05:57:39 -05:00
wimax net:wimax: Fix doucble word "the the" in networking.xml 2015-08-09 22:43:52 -07:00
wireless wireless: use reset to set mac header 2016-03-04 22:45:13 -05:00
x25 net: Pass kern from net_proto_family.create to sk_alloc 2015-05-11 10:50:17 -04:00
xfrm net: preserve IP control block during GSO segmentation 2016-01-15 14:35:24 -05:00
Kconfig net: mellanox: add DEVLINK dependencies 2016-03-03 17:08:59 -05:00
Makefile net: Introduce L3 Master device abstraction 2015-09-29 20:40:32 -07:00
compat.c net: switch importing msghdr from userland to {compat_,}import_iovec() 2015-04-09 00:02:26 -04:00
socket.c kmemcg: account certain kmem allocations to memcg 2016-01-14 16:00:49 -08:00
sysctl_net.c net: sysctl: fix a kmemleak warning 2015-10-23 06:22:08 -07:00