linux/net/ipv4
Paul Moore 89d7ae34cd cipso: don't follow a NULL pointer when setsockopt() is called
As reported by Alan Cox, and verified by Lin Ming, when a user
attempts to add a CIPSO option to a socket using the CIPSO_V4_TAG_LOCAL
tag the kernel dies a terrible death when it attempts to follow a NULL
pointer (the skb argument to cipso_v4_validate() is NULL when called via
the setsockopt() syscall).

This patch fixes this by first checking to ensure that the skb is
non-NULL before using it to find the incoming network interface.  In
the unlikely case where the skb is NULL and the user attempts to add
a CIPSO option with the _TAG_LOCAL tag we return an error as this is
not something we want to allow.

A simple reproducer, kindly supplied by Lin Ming, although you must
have the CIPSO DOI #3 configure on the system first or you will be
caught early in cipso_v4_validate():

	#include <sys/types.h>
	#include <sys/socket.h>
	#include <linux/ip.h>
	#include <linux/in.h>
	#include <string.h>

	struct local_tag {
		char type;
		char length;
		char info[4];
	};

	struct cipso {
		char type;
		char length;
		char doi[4];
		struct local_tag local;
	};

	int main(int argc, char **argv)
	{
		int sockfd;
		struct cipso cipso = {
			.type = IPOPT_CIPSO,
			.length = sizeof(struct cipso),
			.local = {
				.type = 128,
				.length = sizeof(struct local_tag),
			},
		};

		memset(cipso.doi, 0, 4);
		cipso.doi[3] = 3;

		sockfd = socket(AF_INET, SOCK_DGRAM, 0);
		#define SOL_IP 0
		setsockopt(sockfd, SOL_IP, IP_OPTIONS,
			&cipso, sizeof(struct cipso));

		return 0;
	}

CC: Lin Ming <mlin@ss.pku.edu.cn>
Reported-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2012-07-18 09:01:12 -07:00
..
netfilter net: Convert net_ratelimit uses to net_<level>_ratelimited 2012-05-15 13:45:03 -04:00
af_inet.c sock: Introduce named constants for sk_reuse 2012-04-21 15:52:25 -04:00
ah4.c net: ipv4 and ipv6: Convert printk(KERN_DEBUG to pr_debug 2012-05-16 01:01:03 -04:00
arp.c Merge branch 'delete-tokenring' of git://git.kernel.org/pub/scm/linux/kernel/git/paulg/linux 2012-05-16 01:02:40 -04:00
cipso_ipv4.c cipso: don't follow a NULL pointer when setsockopt() is called 2012-07-18 09:01:12 -07:00
datagram.c ipv4: Lock socket and use cork flow in ip4_datagram_connect(). 2011-05-08 13:48:57 -07:00
devinet.c net: ipv4 and ipv6: Convert printk(KERN_DEBUG to pr_debug 2012-05-16 01:01:03 -04:00
esp4.c xfrm: take net hdr len into account for esp payload size calculation 2012-05-27 01:08:29 -04:00
fib_frontend.c net: cleanup unsigned to unsigned int 2012-04-15 12:44:40 -04:00
fib_lookup.h
fib_rules.c ipv4: Stop using NLA_PUT*(). 2012-04-02 04:33:43 -04:00
fib_semantics.c ipv4: fix the rcu race between free_fib_info and ip_route_output_slow 2012-05-24 00:28:21 -04:00
fib_trie.c ipv4: Do not use dead fib_info entries. 2012-05-10 22:16:32 -04:00
gre.c net: ipv4: Standardize prefixes for message logging 2012-03-12 17:05:21 -07:00
icmp.c net: Convert net_ratelimit uses to net_<level>_ratelimited 2012-05-15 13:45:03 -04:00
igmp.c ipv4: fix checkpatch errors 2012-04-15 12:37:19 -04:00
inet_connection_sock.c tcp: do not create inetpeer on SYNACK message 2012-06-01 14:22:11 -04:00
inet_diag.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2012-05-07 23:35:40 -04:00
inet_fragment.c
inet_hashtables.c ipv4: fix checkpatch errors 2012-04-15 12:37:19 -04:00
inet_lro.c net: add skb frag size accessors 2011-10-19 03:10:46 -04:00
inet_timewait_sock.c net: ipv4 and ipv6: Convert printk(KERN_DEBUG to pr_debug 2012-05-16 01:01:03 -04:00
inetpeer.c inetpeer: fix a race in inetpeer_gc_worker() 2012-06-06 10:45:15 -07:00
ip_forward.c snmp: fix OutOctets counter to include forwarded datagrams 2012-06-07 14:50:56 -07:00
ip_fragment.c ipv4: use skb coalescing in defragmentation 2012-05-19 18:34:57 -04:00
ip_gre.c ipv4: fix checkpatch errors 2012-04-15 12:37:19 -04:00
ip_input.c net: Convert net_ratelimit uses to net_<level>_ratelimited 2012-05-15 13:45:03 -04:00
ip_options.c net: Convert net_ratelimit uses to net_<level>_ratelimited 2012-05-15 13:45:03 -04:00
ip_output.c net: Convert net_ratelimit uses to net_<level>_ratelimited 2012-05-15 13:45:03 -04:00
ip_sockglue.c net: IP_MULTICAST_IF setsockopt now recognizes struct mreq 2012-05-07 23:03:22 -04:00
ipcomp.c net: Convert printks to pr_<level> 2012-03-11 23:42:51 -07:00
ipconfig.c net/ipv4/ipconfig: neaten __setup placement 2012-05-20 04:06:16 -04:00
ipip.c ipv4: fix checkpatch errors 2012-04-15 12:37:19 -04:00
ipmr.c snmp: fix OutOctets counter to include forwarded datagrams 2012-06-07 14:50:56 -07:00
Kconfig net: delete all instances of special processing for token ring 2012-05-15 20:14:35 -04:00
Makefile tcp memory pressure controls 2011-12-12 19:04:10 -05:00
netfilter.c net: Delete all remaining instances of ctl_path 2012-04-20 21:22:30 -04:00
ping.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace 2012-05-23 17:42:39 -07:00
proc.c tcp: reduce out_of_order memory use 2012-03-19 16:53:08 -04:00
protocol.c
raw.c ipv4: fix checkpatch errors 2012-04-15 12:37:19 -04:00
route.c mm: add a low limit to alloc_large_system_hash 2012-05-24 00:28:21 -04:00
syncookies.c tcp: fix syncookie regression 2012-03-11 15:52:12 -07:00
sysctl_net_ipv4.c tcp: early retransmit 2012-05-02 20:56:10 -04:00
tcp_bic.c tcp: fix undo after RTO for BIC 2012-01-20 14:17:26 -05:00
tcp_cong.c tcp: bool conversions 2012-05-17 14:59:59 -04:00
tcp_cubic.c tcp: fix undo after RTO for CUBIC 2012-01-20 14:17:26 -05:00
tcp_diag.c inet_diag: Rename inet_diag_req into inet_diag_req_v2 2012-01-11 12:56:06 -08:00
tcp_highspeed.c
tcp_htcp.c
tcp_hybla.c tcp: bool conversions 2012-05-17 14:59:59 -04:00
tcp_illinois.c
tcp_input.c tcp: take care of overlaps in tcp_try_coalesce() 2012-05-24 00:28:21 -04:00
tcp_ipv4.c tcp: reflect SYN queue_mapping into SYNACK packets 2012-06-01 14:22:11 -04:00
tcp_lp.c
tcp_memcontrol.c memcg: decrement static keys at real destroy time 2012-05-29 16:22:28 -07:00
tcp_minisocks.c tcp: bool conversions 2012-05-17 14:59:59 -04:00
tcp_output.c tcp: bool conversions 2012-05-17 14:59:59 -04:00
tcp_probe.c net: cleanup unsigned to unsigned int 2012-04-15 12:44:40 -04:00
tcp_scalable.c
tcp_timer.c tcp: early retransmit: delayed fast retransmit 2012-05-02 20:56:10 -04:00
tcp_vegas.c
tcp_vegas.h
tcp_veno.c
tcp_westwood.c
tcp_yeah.c
tcp.c mm: add a low limit to alloc_large_system_hash 2012-05-24 00:28:21 -04:00
tunnel4.c net: Convert printks to pr_<level> 2012-03-11 23:42:51 -07:00
udp_diag.c udp_diag: implement idiag_get_info for udp/udplite to get queue information 2012-04-25 20:43:01 -04:00
udp_impl.h ipv4: fix checkpatch errors 2012-04-15 12:37:19 -04:00
udp.c mm: add a low limit to alloc_large_system_hash 2012-05-24 00:28:21 -04:00
udplite.c net: ipv4: Standardize prefixes for message logging 2012-03-12 17:05:21 -07:00
xfrm4_input.c
xfrm4_mode_beet.c ipsec: be careful of non existing mac headers 2012-02-23 16:50:45 -05:00
xfrm4_mode_transport.c
xfrm4_mode_tunnel.c ipsec: be careful of non existing mac headers 2012-02-23 16:50:45 -05:00
xfrm4_output.c xfrm4: Don't call icmp_send on local error 2011-07-01 17:33:19 -07:00
xfrm4_policy.c net: Convert all sysctl registrations to register_net_sysctl 2012-04-20 21:22:30 -04:00
xfrm4_state.c net: Add export.h for EXPORT_SYMBOL/THIS_MODULE to non-modules 2011-10-31 19:30:30 -04:00
xfrm4_tunnel.c net: ipv4: Standardize prefixes for message logging 2012-03-12 17:05:21 -07:00