From: Jason Wang <jasowang@redhat.com>
Date: Wed, 30 May 2012 21:18:10 +0000 (+0000)
Subject: net: sock: validate data_len before allocating skb in sock_alloc_send_pskb()
X-Git-Tag: v2.6.39-400.9.0~516^2~11
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=41db6ec59cc5e5c74ecebb6e2a45f5389502ea39;p=users%2Fjedix%2Flinux-maple.git

net: sock: validate data_len before allocating skb in sock_alloc_send_pskb()

Bugdb: 13966
We need to validate the number of pages consumed by data_len, otherwise frags
array could be overflowed by userspace. So this patch validate data_len and
return -EMSGSIZE when data_len may occupies more frags than MAX_SKB_FRAGS.
This fixes: CVE-2012-2136
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---

diff --git a/net/core/sock.c b/net/core/sock.c
index 6c157b777b28..baa161b72420 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1501,6 +1501,11 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len,
 	gfp_t gfp_mask;
 	long timeo;
 	int err;
+	int npages = (data_len + (PAGE_SIZE - 1)) >> PAGE_SHIFT;
+
+	err = -EMSGSIZE;
+	if (npages > MAX_SKB_FRAGS)
+		goto failure;
 
 	gfp_mask = sk->sk_allocation;
 	if (gfp_mask & __GFP_WAIT)
@@ -1519,14 +1524,12 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len,
 		if (atomic_read(&sk->sk_wmem_alloc) < sk->sk_sndbuf) {
 			skb = alloc_skb(header_len, gfp_mask);
 			if (skb) {
-				int npages;
 				int i;
 
 				/* No pages, we're done... */
 				if (!data_len)
 					break;
 
-				npages = (data_len + (PAGE_SIZE - 1)) >> PAGE_SHIFT;
 				skb->truesize += data_len;
 				skb_shinfo(skb)->nr_frags = npages;
 				for (i = 0; i < npages; i++) {