On 11/15/24 00:27, Michal Luczaj wrote:
> copy_from_sockptr()'s non-zero result represents the number of bytes that
> could not be copied. Turn that into EFAULT.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Michal Luczaj <mhal@xxxxxxx>
> ---
> net/llc/af_llc.c | 15 ++++++++-------
> 1 file changed, 8 insertions(+), 7 deletions(-)
>
> diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
> index 4eb52add7103b0f83d6fe7318abf1d1af533d254..c4febedd1ca0e959dcecea524df37eb328bd626d 100644
> --- a/net/llc/af_llc.c
> +++ b/net/llc/af_llc.c
> @@ -1093,15 +1093,17 @@ static int llc_ui_setsockopt(struct socket *sock, int level, int optname,
> struct sock *sk = sock->sk;
> struct llc_sock *llc = llc_sk(sk);
> unsigned int opt;
> - int rc = -EINVAL;
> + int rc = 0;
>
> lock_sock(sk);
> - if (unlikely(level != SOL_LLC || optlen != sizeof(int)))
> + if (unlikely(level != SOL_LLC || optlen != sizeof(opt))) {
> + rc = -EINVAL;
> goto out;
> - rc = copy_from_sockptr(&opt, optval, sizeof(opt));
> - if (rc)
> + }
> + if (copy_from_sockptr(&opt, optval, sizeof(opt))) {
> + rc = -EFAULT;
> goto out;
> - rc = -EINVAL;
> + }
> switch (optname) {
> case LLC_OPT_RETRY:
> if (opt > LLC_OPT_MAX_RETRY)
> @@ -1151,9 +1153,8 @@ static int llc_ui_setsockopt(struct socket *sock, int level, int optname,
> break;
> default:
> rc = -ENOPROTOOPT;
> - goto out;
> + break;
> }
> - rc = 0;
> out:
> release_sock(sk);
> return rc;
>
Great, I broke it in a worse way: on bad input all the checks under the
switch would silently fail. Apologies, here is v2:
https://lore.kernel.org/netdev/20241115-sockptr-copy-fixes-v2-0-9b1254c18b7a@xxxxxxx/
Michal
PS. Ugh, and I've just realized; sorry for forgetting about the "wait 24h
before re-submitting" rule...
