www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Willem de Bruijn <willemb@google.com>
	Tue, 12 Jul 2016 22:18:56 +0000 (18:18 -0400)
committer	Chuck Anderson <chuck.anderson@oracle.com>
	Sun, 26 Feb 2017 03:35:23 +0000 (19:35 -0800)
commit	70440beae2d041b7e9e45531a791f888e28afce5
tree	28cdcd30dbea78ebf49f0e7710c735b2669e7705	tree
parent	8a409bbe6b4483fd410ddb0ee54f7a66dbd1a8a7	commit \| diff

rose: limit sk_filter trim to payload

Orabug: 25104761
CVE: CVE-2016-8645

Sockets can have a filter program attached that drops or trims
incoming packets based on the filter program return value.

Rose requires data packets to have at least ROSE_MIN_LEN bytes. It
verifies this on arrival in rose_route_frame and unconditionally pulls
the bytes in rose_recvmsg. The filter can trim packets to below this
value in-between, causing pull to fail, leaving the partial header at
the time of skb_copy_datagram_msg.

Place a lower bound on the size to which sk_filter may trim packets
by introducing sk_filter_trim_cap and call this for rose packets.

Signed-off-by: Willem de Bruijn <willemb@google.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit f4979fcea7fd36d8e2f556abef86f80e0d5af1ba)
Signed-off-by: Somasundaram Krishnasamy <somasundaram.krishnasamy@oracle.com>
Reviewed-by: Jack Vogel <jack.vogel@oracle.com>
Conflicts:
net/core/filter.c

include/linux/filter.h		diff \| blob \| history
net/core/filter.c		diff \| blob \| history
net/rose/rose_in.c		diff \| blob \| history