linux-toradex.git/net/tipc/socket.c, branch v3.0.79 Linux kernel for Apalis and Colibri modules tipc: fix info leaks via msg_name in recv_msg/recv_stream 2013-05-01T15:56:40+00:00 Mathias Krause minipli@googlemail.com 2013-04-07T01:52:00+00:00 dc85f620e827440f520551b2ff6222bc92b00fa9 [ Upstream commit 60085c3d009b0df252547adb336d1ccca5ce52ec ] The code in set_orig_addr() does not initialize all of the members of struct sockaddr_tipc when filling the sockaddr info -- namely the union is only partly filled. This will make recv_msg() and recv_stream() -- the only users of this function -- leak kernel stack memory as the msg_name member is a local variable in net/socket.c. Additionally to that both recv_msg() and recv_stream() fail to update the msg_namelen member to 0 while otherwise returning with 0, i.e. "success". This is the case for, e.g., non-blocking sockets. This will lead to a 128 byte kernel stack leak in net/socket.c. Fix the first issue by initializing the memory of the union with memset(0). Fix the second one by setting msg_namelen to 0 early as it will be updated later if we're going to fill the msg_name member. Signed-off-by: Mathias Krause <minipli@googlemail.com> Cc: Jon Maloy <jon.maloy@ericsson.com> Cc: Allan Stephens <allan.stephens@windriver.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
[ Upstream commit 60085c3d009b0df252547adb336d1ccca5ce52ec ]

The code in set_orig_addr() does not initialize all of the members of
struct sockaddr_tipc when filling the sockaddr info -- namely the union
is only partly filled. This will make recv_msg() and recv_stream() --
the only users of this function -- leak kernel stack memory as the
msg_name member is a local variable in net/socket.c.

Additionally to that both recv_msg() and recv_stream() fail to update
the msg_namelen member to 0 while otherwise returning with 0, i.e.
"success". This is the case for, e.g., non-blocking sockets. This will
lead to a 128 byte kernel stack leak in net/socket.c.

Fix the first issue by initializing the memory of the union with
memset(0). Fix the second one by setting msg_namelen to 0 early as it
will be updated later if we're going to fill the msg_name member.

Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: Jon Maloy <jon.maloy@ericsson.com>
Cc: Allan Stephens <allan.stephens@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
tipc: Avoid recomputation of outgoing message length 2011-05-10T20:03:57+00:00 Allan Stephens Allan.Stephens@windriver.com 2011-04-21T15:42:07+00:00 2689690469c9fd76f9db0afcdf2523f48cce4006 Rework TIPC's message sending routines to take advantage of the total amount of data value passed to it by the kernel socket infrastructure. This change eliminates the need for TIPC to compute the size of outgoing messages itself, as well as the check for an oversize message in tipc_msg_build(). In addition, this change warrants an explanation: - res = send_packet(NULL, sock, &my_msg, 0); + res = send_packet(NULL, sock, &my_msg, bytes_to_send); Previously, the final argument to send_packet() was ignored (since the amount of data being sent was recalculated by a lower-level routine) and we could just pass in a dummy value (0). Now that the recalculation is being eliminated, the argument value being passed to send_packet() is significant and we have to supply the actual amount of data we want to send. Signed-off-by: Allan Stephens <Allan.Stephens@windriver.com> Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> 
Rework TIPC's message sending routines to take advantage of the total
amount of data value passed to it by the kernel socket infrastructure.
This change eliminates the need for TIPC to compute the size of outgoing
messages itself, as well as the check for an oversize message in
tipc_msg_build().  In addition, this change warrants an explanation:

   -     res = send_packet(NULL, sock, &my_msg, 0);
   +     res = send_packet(NULL, sock, &my_msg, bytes_to_send);

Previously, the final argument to send_packet() was ignored (since the
amount of data being sent was recalculated by a lower-level routine)
and we could just pass in a dummy value (0). Now that the
recalculation is being eliminated, the argument value being passed to
send_packet() is significant and we have to supply the actual amount
of data we want to send.

Signed-off-by: Allan Stephens <Allan.Stephens@windriver.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
tipc: Abort excessive send requests as early as possible 2011-05-10T20:03:56+00:00 Allan Stephens Allan.Stephens@windriver.com 2010-04-20T21:58:24+00:00 c29c3f70c9eb6f18090da5af9dbe9dcb4adece8c Adds checks to TIPC's socket send routines to promptly detect and abort attempts to send more than 66,000 bytes in a single TIPC message or more than 2**31-1 bytes in a single TIPC byte stream request. In addition, this ensures that the number of iovecs in a send request does not exceed the limits of a standard integer variable. Signed-off-by: Allan Stephens <Allan.Stephens@windriver.com> Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> 
Adds checks to TIPC's socket send routines to promptly detect and
abort attempts to send more than 66,000 bytes in a single TIPC
message or more than 2**31-1 bytes in a single TIPC byte stream request.
In addition, this ensures that the number of iovecs in a send request
does not exceed the limits of a standard integer variable.

Signed-off-by: Allan Stephens <Allan.Stephens@windriver.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
tipc: Add support for SO_RCVTIMEO socket option 2011-03-13T20:35:16+00:00 Allan Stephens Allan.Stephens@windriver.com 2011-02-23T19:52:14+00:00 71092ea122062012f8e4b7fb2f9a747212d1479c Adds support for the SO_RCVTIMEO socket option to TIPC's socket receive routines. Thanks go out to Raj Hegde <rajenhegde@yahoo.ca> for his contribution to the development and testing this enhancement. Signed-off-by: Allan Stephens <Allan.Stephens@windriver.com> Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> 
Adds support for the SO_RCVTIMEO socket option to TIPC's socket
receive routines.

Thanks go out to Raj Hegde <rajenhegde@yahoo.ca> for his contribution
to the development and testing this enhancement.

Signed-off-by: Allan Stephens <Allan.Stephens@windriver.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
tipc: Allow receiving into iovec containing multiple entries 2011-03-13T20:35:16+00:00 Allan Stephens Allan.Stephens@windriver.com 2011-02-21T14:45:40+00:00 0232fd0ac475e5f5ec19a69d53467be11bec9833 Enhances TIPC's socket receive routines to support iovec structures containing more than a single entry. This change leverages existing sk_buff routines to do most of the work; the only significant change to TIPC itself is that an sk_buff now records how much data has been already consumed as an numeric offset, rather than as a pointer to the first unread data byte. Signed-off-by: Allan Stephens <Allan.Stephens@windriver.com> Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> 
Enhances TIPC's socket receive routines to support iovec structures
containing more than a single entry. This change leverages existing
sk_buff routines to do most of the work; the only significant change
to TIPC itself is that an sk_buff now records how much data has been
already consumed as an numeric offset, rather than as a pointer to
the first unread data byte.

Signed-off-by: Allan Stephens <Allan.Stephens@windriver.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
tipc: Prevent invalid memory access when sending to configuration service 2011-02-23T23:05:07+00:00 Allan Stephens Allan.Stephens@windriver.com 2011-01-18T18:09:29+00:00 3f8dd9446e66f2a982ddcff38e4705cfe93eeec6 Reject TIPC configuration service messages without a full message header. Previously, an application that sent a message to the configuration service that was too short could cause the validation code to access an uninitialized field in the msghdr structure, resulting in a memory access exception. Signed-off-by: Allan Stephens <Allan.Stephens@windriver.com> Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> 
Reject TIPC configuration service messages without a full message
header.  Previously, an application that sent a message to the
configuration service that was too short could cause the validation
code to access an uninitialized field in the msghdr structure,
resulting in a memory access exception.

Signed-off-by: Allan Stephens <Allan.Stephens@windriver.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
tipc: Remove unused global variable tipc_user_count 2011-02-23T23:05:06+00:00 Allan Stephens Allan.Stephens@windriver.com 2011-01-07T18:12:12+00:00 4132facae1df653b5a78e0e32956218199026812 Eliminates a global variable that was previously used by TIPC's user registry to track the number of distinct applications using TIPC. Due to the recent elimination of the user registry this variable no longer serves any purpose and can be removed. Signed-off-by: Allan Stephens <Allan.Stephens@windriver.com> Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> 
Eliminates a global variable that was previously used by TIPC's user
registry to track the number of distinct applications using TIPC. Due to
the recent elimination of the user registry this variable no longer serves
any purpose and can be removed.

Signed-off-by: Allan Stephens <Allan.Stephens@windriver.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
tipc: remove extraneous braces from single statements 2011-01-01T21:57:57+00:00 Allan Stephens Allan.Stephens@windriver.com 2010-12-31T18:59:35+00:00 a016892cd6eb8d3dd9769021b088917ac7371abd Cleans up TIPC's source code to eliminate the presence of unnecessary use of {} around single statements. These changes are purely cosmetic and do not alter the operation of TIPC in any way. Signed-off-by: Allan Stephens <Allan.Stephens@windriver.com> Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
Cleans up TIPC's source code to eliminate the presence of unnecessary
use of {} around single statements.

These changes are purely cosmetic and do not alter the operation of TIPC
in any way.

Signed-off-by: Allan Stephens <Allan.Stephens@windriver.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
tipc: remove zeroing assignments to static global variables 2011-01-01T21:57:57+00:00 Allan Stephens Allan.Stephens@windriver.com 2010-12-31T18:59:34+00:00 e3ec9c7d5eea9adf2c604c623c987360cc700b88 Cleans up TIPC's source code to eliminate the needless initialization of static variables to zero. These changes are purely cosmetic and do not alter the operation of TIPC in any way. Signed-off-by: Allan Stephens <Allan.Stephens@windriver.com> Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
Cleans up TIPC's source code to eliminate the needless initialization
of static variables to zero.

These changes are purely cosmetic and do not alter the operation of TIPC
in any way.

Signed-off-by: Allan Stephens <Allan.Stephens@windriver.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
tipc: split variable assignments out of conditional expressions 2011-01-01T21:57:56+00:00 Allan Stephens Allan.Stephens@windriver.com 2010-12-31T18:59:33+00:00 2db9983a4318818845193bd577879c0620705e82 Cleans up TIPC's source code to eliminate assigning values to variables within conditional expressions, improving code readability and reducing warnings from various code checker tools. These changes are purely cosmetic and do not alter the operation of TIPC in any way. Signed-off-by: Allan Stephens <Allan.Stephens@windriver.com> Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
Cleans up TIPC's source code to eliminate assigning values to variables
within conditional expressions, improving code readability and reducing
warnings from various code checker tools.

These changes are purely cosmetic and do not alter the operation of TIPC
in any way.

Signed-off-by: Allan Stephens <Allan.Stephens@windriver.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>