Skip to content

Commit 66f6fd2

Browse files
dhowellsdhowells
committed
rxrpc: Fix network address validation
Fix network address validation on entry to uapi functions such as connect() for AF_RXRPC. The check for address compatibility with the transport socket isn't correct and allows an AF_INET6 address to be given to an AF_INET socket, resulting in an oops now that rxrpc is calling udp_sendmsg() directly. Sample program: #define _GNU_SOURCE #include <stdio.h> #include <stdlib.h> #include <sys/socket.h> #include <arpa/inet.h> #include <linux/rxrpc.h> static unsigned char ctrl[256] = "\x18\x00\x00\x00\x00\x00\x00\x00\x10\x01\x00\x00\x01"; int main(void) { struct sockaddr_rxrpc srx = { .srx_family = AF_RXRPC, .transport_type = SOCK_DGRAM, .transport_len = 28, .transport.sin6.sin6_family = AF_INET6, }; struct mmsghdr vec = { .msg_hdr.msg_control = ctrl, .msg_hdr.msg_controllen = 0x18, }; int s; s = socket(AF_RXRPC, SOCK_DGRAM, AF_INET); if (s < 0) { perror("socket"); exit(1); } if (connect(s, (struct sockaddr *)&srx, sizeof(srx)) < 0) { perror("connect"); exit(1); } if (sendmmsg(s, &vec, 1, MSG_NOSIGNAL | MSG_MORE) < 0) { perror("sendmmsg"); exit(1); } return 0; } If working properly, connect() should fail with EAFNOSUPPORT. Fixes: ed472b0 ("rxrpc: Call udp_sendmsg() directly") Reported-by: Eric Dumazet <[email protected]> Signed-off-by: David Howells <[email protected]> cc: Marc Dionne <[email protected]> cc: [email protected]
1 parent 6423ac2 commit 66f6fd2

File tree

1 file changed

+5
-4
lines changed

1 file changed

+5
-4
lines changed

net/rxrpc/af_rxrpc.c

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -93,19 +93,20 @@ static int rxrpc_validate_address(struct rxrpc_sock *rx,
9393
srx->transport_len > len)
9494
return -EINVAL;
9595

96-
if (srx->transport.family != rx->family &&
97-
srx->transport.family == AF_INET && rx->family != AF_INET6)
98-
return -EAFNOSUPPORT;
99-
10096
switch (srx->transport.family) {
10197
case AF_INET:
98+
if (rx->family != AF_INET &&
99+
rx->family != AF_INET6)
100+
return -EAFNOSUPPORT;
102101
if (srx->transport_len < sizeof(struct sockaddr_in))
103102
return -EINVAL;
104103
tail = offsetof(struct sockaddr_rxrpc, transport.sin.__pad);
105104
break;
106105

107106
#ifdef CONFIG_AF_RXRPC_IPV6
108107
case AF_INET6:
108+
if (rx->family != AF_INET6)
109+
return -EAFNOSUPPORT;
109110
if (srx->transport_len < sizeof(struct sockaddr_in6))
110111
return -EINVAL;
111112
tail = offsetof(struct sockaddr_rxrpc, transport) +

0 commit comments

Comments
 (0)