[PATCH stable<3.19] net: handle null iovec pointer in skb_copy_and_csum_datagram_iovec()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Mainline commit 89c22d8c3b27 ("net: Fix skb csum races when peeking")
backport into pre-3.19 stable kernels introduces a regression causing
null pointer dererefence in skb_copy_and_csum_datagram_iovec().

This commit only sets CHECKSUM_UNNECESSARY for non-shared skb, allowing
udp_recvmsg() to take the "else" branch of if (skb_csum_unnecessary(skb))
when called with null iovec (and len=0, e.g. when peeking for datagram
size first). The problem is that unlike skb_copy_and_csum_datagram_msg()
called in this path since 3.19, skb_copy_and_csum_datagram_iovec() does
not handle null iov parameter and always dereferences iov->iov_len. This
is especially harmful when udp_recvmsg() is called in kernel context,
e.g. from kernel nfsd.

Band-aid skb_copy_and_csum_datagram_iovec() by testing iov for null and
only checking the checksum in this case.

Signed-off-by: Michal Kubecek <mkubecek@xxxxxxx>
---
 net/core/datagram.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/net/core/datagram.c b/net/core/datagram.c
index 3a402a7b20e9..f8b38794fa9b 100644
--- a/net/core/datagram.c
+++ b/net/core/datagram.c
@@ -799,6 +799,13 @@ int skb_copy_and_csum_datagram_iovec(struct sk_buff *skb,
 	if (!chunk)
 		return 0;
 
+	if (!iov) {
+		if (__skb_checksum_complete(skb))
+			goto csum_error;
+		else
+			return 0;
+	}
+
 	/* Skip filled elements.
 	 * Pretty silly, look at memcpy_toiovec, though 8)
 	 */
-- 
2.6.2

--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]