linux/net/ipv4
Neil Horman 55888dfb6b AF_RAW: Augment raw_send_hdrinc to expand skb to fit iphdr->ihl (v2)
Augment raw_send_hdrinc to correct for incorrect ip header length values

A series of oopses was reported to me recently.  Apparently when using AF_RAW
sockets to send data to peers that were reachable via ipsec encapsulation,
people could panic or BUG halt their systems.

I've tracked the problem down to user space sending an invalid ip header over an
AF_RAW socket with IP_HDRINCL set to 1.

Basically what happens is that userspace sends down an ip frame that includes
only the header (no data), but sets the ip header ihl value to a large number,
one that is larger than the total amount of data passed to the sendmsg call.  In
raw_send_hdrincl, we allocate an skb based on the size of the data in the msghdr
that was passed in, but assume the data is all valid.  Later during ipsec
encapsulation, xfrm4_tranport_output moves the entire frame back in the skbuff
to provide headroom for the ipsec headers.  During this operation, the
skb->transport_header is repointed to a spot computed by
skb->network_header + the ip header length (ihl).  Since so little data was
passed in relative to the value of ihl provided by the raw socket, we point
transport header to an unknown location, resulting in various crashes.

This fix for this is pretty straightforward, simply validate the value of of
iph->ihl when sending over a raw socket.  If (iph->ihl*4U) > user data buffer
size, drop the frame and return -EINVAL.  I just confirmed this fixes the
reported crashes.

Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-10-29 01:09:58 -07:00
..
netfilter netfilter: nfnetlink: constify message attributes and headers 2009-08-25 16:07:58 +02:00
Kconfig ipv4: update ARPD help text 2009-06-13 23:36:32 -07:00
Makefile IPVS: Move IPVS to net/netfilter/ipvs 2008-10-07 08:38:24 +11:00
af_inet.c net: Use sk_mark for routing lookup in more places 2009-10-01 15:16:49 -07:00
ah4.c net: constify struct net_protocol 2009-09-14 17:03:01 -07:00
arp.c net: make neigh_ops constant 2009-09-01 17:40:57 -07:00
cipso_ipv4.c netlabel: Label incoming TCP connections correctly in SELinux 2009-03-28 15:01:36 +11:00
datagram.c mib: add net to IP_INC_STATS_BH 2008-07-16 20:20:11 -07:00
devinet.c ipv4: arp_notify address list bug 2009-10-07 03:18:17 -07:00
esp4.c net: constify struct net_protocol 2009-09-14 17:03:01 -07:00
fib_frontend.c ipv4: cleanup: remove unnecessary include. 2009-05-18 15:16:38 -07:00
fib_hash.c ipv4: cleanup - remove two unused parameters from fib_semantic_match(). 2009-05-18 15:16:37 -07:00
fib_lookup.h ipv4: cleanup - remove two unused parameters from fib_semantic_match(). 2009-05-18 15:16:37 -07:00
fib_rules.c net: Remove unused parameter from fill method in fib_rules_ops. 2009-05-20 17:26:23 -07:00
fib_semantics.c ipv4: cleanup - remove two unused parameters from fib_semantic_match(). 2009-05-18 15:16:37 -07:00
fib_trie.c fib_trie: resize rework 2009-08-28 23:57:15 -07:00
icmp.c net: constify struct net_protocol 2009-09-14 17:03:01 -07:00
igmp.c bonding: remap muticast addresses without using dev_close() and dev_open() 2009-09-15 02:37:40 -07:00
inet_connection_sock.c tcp: reduce SYN-ACK retrans for TCP_DEFER_ACCEPT 2009-10-19 19:19:03 -07:00
inet_diag.c net: correct off-by-one write allocations reports 2009-06-18 00:29:12 -07:00
inet_fragment.c inet fragments: fix sparse warning: context imbalance 2009-02-26 23:13:35 -08:00
inet_hashtables.c net: move bsockets outside of read only beginning of struct inet_hashinfo 2009-02-01 12:31:33 -08:00
inet_lro.c include/net net/ - csum_partial - remove unnecessary casts 2008-11-19 15:44:53 -08:00
inet_timewait_sock.c tcp: fix premature termination of FIN_WAIT2 time-wait sockets 2009-08-29 00:00:35 -07:00
inetpeer.c net: clean up net/ipv4/ah4.c esp4.c fib_semantics.c inet_connection_sock.c inetpeer.c ip_output.c 2008-11-03 00:23:42 -08:00
ip_forward.c net: skb->dst accessors 2009-06-03 02:51:04 -07:00
ip_fragment.c ipv4: Use frag list abstraction interfaces. 2009-06-09 00:19:37 -07:00
ip_gre.c tunnel: eliminate recursion field 2009-09-24 15:39:22 -07:00
ip_input.c net: constify struct net_protocol 2009-09-14 17:03:01 -07:00
ip_options.c net: skb->dst accessors 2009-06-03 02:51:04 -07:00
ip_output.c net: Use sk_mark for routing lookup in more places 2009-10-01 15:16:49 -07:00
ip_sockglue.c net: Fix IP_MULTICAST_IF 2009-10-19 21:34:20 -07:00
ipcomp.c net: constify struct net_protocol 2009-09-14 17:03:01 -07:00
ipconfig.c ipv4: teach ipconfig about the MTU option in DHCP 2009-05-19 15:36:17 -07:00
ipip.c tunnel: eliminate recursion field 2009-09-24 15:39:22 -07:00
ipmr.c net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
netfilter.c net: skb->dst accessors 2009-06-03 02:51:04 -07:00
proc.c snmp: add missing counters for RFC 4293 2009-04-27 02:45:02 -07:00
protocol.c net: constify struct net_protocol 2009-09-14 17:03:01 -07:00
raw.c AF_RAW: Augment raw_send_hdrinc to expand skb to fit iphdr->ihl (v2) 2009-10-29 01:09:58 -07:00
route.c sysctl: remove "struct file *" argument of ->proc_handler 2009-09-24 07:21:04 -07:00
syncookies.c percpu: clean up percpu variable definitions 2009-06-24 15:13:48 +09:00
sysctl_net_ipv4.c sysctl: remove "struct file *" argument of ->proc_handler 2009-09-24 07:21:04 -07:00
tcp.c net: use WARN() for the WARN_ON in commit b6b39e8f3f 2009-10-22 21:37:56 -07:00
tcp_bic.c tcp: add helper for AI algorithm 2009-03-02 03:00:15 -08:00
tcp_cong.c Networking: use CAP_NET_ADMIN when deciding to call request_module 2009-08-14 11:18:34 +10:00
tcp_cubic.c tcp: add helper for AI algorithm 2009-03-02 03:00:15 -08:00
tcp_diag.c net: inet_diag_handler structs can be const 2008-11-19 15:43:27 -08:00
tcp_highspeed.c [TCP]: Cong.ctrl modules: remove unused good_ack from cong_avoid 2008-01-28 14:55:41 -08:00
tcp_htcp.c htcp: merge icsk_ca_state compare 2009-03-02 03:00:14 -08:00
tcp_hybla.c tcp: Fix tcp_hybla zero congestion window growth with small rho and large cwnd. 2008-10-07 15:58:17 -07:00
tcp_illinois.c [TCP]: Cong.ctrl modules: remove unused good_ack from cong_avoid 2008-01-28 14:55:41 -08:00
tcp_input.c tcp: fix ssthresh u16 leftover 2009-09-15 01:30:10 -07:00
tcp_ipv4.c tcp: fix ssthresh u16 leftover 2009-09-15 01:30:10 -07:00
tcp_lp.c [TCP]: Cong.ctrl modules: remove unused good_ack from cong_avoid 2008-01-28 14:55:41 -08:00
tcp_minisocks.c tcp: accept socket after TCP_DEFER_ACCEPT period 2009-10-19 19:19:01 -07:00
tcp_output.c IPv4 TCP fails to send window scale option when window scale is zero 2009-10-01 15:14:51 -07:00
tcp_probe.c tcp: '< 0' test on unsigned 2009-03-13 16:05:14 -07:00
tcp_scalable.c tcp: add helper for AI algorithm 2009-03-02 03:00:15 -08:00
tcp_timer.c Revert Backoff [v3]: Calculate TCP's connection close threshold as a time value. 2009-09-01 02:45:47 -07:00
tcp_vegas.c tcp: tcp_vegas ssthresh bugfix 2009-05-25 22:44:59 -07:00
tcp_vegas.h
tcp_veno.c tcp: add helper for AI algorithm 2009-03-02 03:00:15 -08:00
tcp_westwood.c
tcp_yeah.c tcp: add helper for AI algorithm 2009-03-02 03:00:15 -08:00
tunnel4.c net: constify struct net_protocol 2009-09-14 17:03:01 -07:00
udp.c udp: Fix udp_poll() and ioctl() 2009-10-13 03:16:54 -07:00
udp_impl.h net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
udplite.c net: constify struct net_protocol 2009-09-14 17:03:01 -07:00
xfrm4_input.c net: skb->dst accessors 2009-06-03 02:51:04 -07:00
xfrm4_mode_beet.c ipsec: Interfamily IPSec BEET 2008-08-06 02:39:30 -07:00
xfrm4_mode_transport.c [IPSEC]: Use IPv6 calling convention as the convention for x->mode->output 2007-10-10 16:55:54 -07:00
xfrm4_mode_tunnel.c net: skb->dst accessors 2009-06-03 02:51:04 -07:00
xfrm4_output.c net: skb->dst accessors 2009-06-03 02:51:04 -07:00
xfrm4_policy.c xfrm4: fix build when SYSCTLs are disabled 2009-08-04 20:18:33 -07:00
xfrm4_state.c xfrm: remove useless forward declarations 2008-11-25 01:05:54 -08:00
xfrm4_tunnel.c [IPCOMP]: Fix reception of incompressible packets 2008-01-31 19:27:24 -08:00