linux/net/llc
Daniel Borkmann 4d231b76ee net: llc: fix use after free in llc_ui_recvmsg
While commit 30a584d944 fixes datagram interface in LLC, a use
after free bug has been introduced for SOCK_STREAM sockets that do
not make use of MSG_PEEK.

The flow is as follow ...

  if (!(flags & MSG_PEEK)) {
    ...
    sk_eat_skb(sk, skb, false);
    ...
  }
  ...
  if (used + offset < skb->len)
    continue;

... where sk_eat_skb() calls __kfree_skb(). Therefore, cache
original length and work on skb_len to check partial reads.

Fixes: 30a584d944 ("[LLX]: SOCK_DGRAM interface fixes")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Cc: Stephen Hemminger <stephen@networkplumber.org>
Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-01-02 19:31:09 -05:00
..
af_llc.c net: llc: fix use after free in llc_ui_recvmsg 2014-01-02 19:31:09 -05:00
Kconfig
llc_c_ac.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
llc_c_ev.c
llc_c_st.c
llc_conn.c llc: Use normal etherdevice.h tests 2013-09-03 22:34:47 -04:00
llc_core.c llc: cleanup: remove dead code from llc_init() 2010-03-24 13:34:08 -07:00
llc_if.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
llc_input.c llc: Fix races between llc2 handler use and (un)registration 2012-08-14 16:52:02 -07:00
llc_output.c net: delete all instances of special processing for token ring 2012-05-15 20:14:35 -04:00
llc_pdu.c
llc_proc.c net: proc_fs: trivial: print UIDs as unsigned int 2013-08-15 14:37:46 -07:00
llc_s_ac.c
llc_s_ev.c
llc_s_st.c
llc_sap.c llc: Use normal etherdevice.h tests 2013-09-03 22:34:47 -04:00
llc_station.c llc2: Collapse remainder of state machine into simple if-else if-statement 2012-09-17 13:04:19 -04:00
Makefile
sysctl_net_llc.c llc: Remove stray reference to sysctl_llc_station_ack_timeout. 2012-09-17 13:13:24 -04:00