iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Eric Dumazet 616da05ff8 netrom: fix info-leak in nr_write_internal() 
[ Upstream commit 31642e7089df8fd3f54ca7843f7ee2952978cad1 ]

Simon Kapadia reported the following issue:

<quote>

The Online Amateur Radio Community (OARC) has recently been experimenting
with building a nationwide packet network in the UK.
As part of our experimentation, we have been testing out packet on 300bps HF,
and playing with net/rom.  For HF packet at this baud rate you really need
to make sure that your MTU is relatively low; AX.25 suggests a PACLEN of 60,
and a net/rom PACLEN of 40 to go with that.
However the Linux net/rom support didn't work with a low PACLEN;
the mkiss module would truncate packets if you set the PACLEN below about 200 or so, e.g.:

Apr 19 14:00:51 radio kernel: [12985.747310] mkiss: ax1: truncating oversized transmit packet!

This didn't make any sense to me (if the packets are smaller why would they
be truncated?) so I started investigating.
I looked at the packets using ethereal, and found that many were just huge
compared to what I would expect.
A simple net/rom connection request packet had the request and then a bunch
of what appeared to be random data following it:

</quote>

Simon provided a patch that I slightly revised:
Not only we must not use skb_tailroom(), we also do
not want to count NR_NETWORK_LEN twice.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Co-Developed-by: Simon Kapadia <szymon@kapadia.pl>
Signed-off-by: Simon Kapadia <szymon@kapadia.pl>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Tested-by: Simon Kapadia <szymon@kapadia.pl>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Link: https://lore.kernel.org/r/20230524141456.1045467-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-06-09 10:30:05 +02:00
..
6lowpan
6lowpan: iphc: Fix an off-by-one check of array index
2021-09-15 09:50:34 +02:00
9p
9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race condition
2023-04-20 12:10:25 +02:00
802
mrp: introduce active flags to prevent UAF when applicant uninit
2023-01-14 10:16:18 +01:00
8021q
vlan: fix a potential uninit-value in vlan_dev_hard_start_xmit()
2023-05-30 12:57:53 +01:00
appletalk
appletalk: Fix skb allocation size in loopback case
2021-04-07 15:00:08 +02:00
atm
net/atm: fix proc_mpc_write incorrect return value
2022-10-30 09:41:16 +01:00
ax25
net: ax25: Fix deadlock caused by skb_recv_datagram in ax25_recvmsg
2022-06-22 14:13:17 +02:00
batman-adv
batman-adv: Don't skb_split skbuffs with frag_list
2022-05-18 10:23:42 +02:00
bluetooth
bluetooth: Add cmd validity checks at the start of hci_sock_ioctl()
2023-06-05 09:07:04 +02:00
bpf
bpf: Move skb->len == 0 checks into __bpf_redirect
2023-01-14 10:15:31 +01:00
bpfilter
bpfilter: Specify the log level for the kmsg message
2021-07-14 16:56:29 +02:00
bridge
bridge: always declare tunnel functions
2023-05-30 12:57:53 +01:00
caif
net: caif: Fix use-after-free in cfusbl_device_notify()
2023-03-17 08:45:11 +01:00
can
can: isotp: recvmsg(): allow MSG_CMSG_COMPAT flag
2023-05-30 12:57:54 +01:00
ceph
libceph: fix potential use-after-free on linger ping and resends
2022-05-25 09:17:56 +02:00
core
net: fix skb leak in __skb_tstamp_tx()
2023-05-30 12:57:58 +01:00
dcb
net: dcb: disable softirqs in dcbnl_flush_dev()
2022-03-08 19:09:37 +01:00
dccp
dccp: Call inet6_destroy_sock() via sk->sk_destruct().
2023-04-26 11:27:42 +02:00
decnet
net: Fix data-races around sysctl_[rw]mem(_offset)?.
2022-08-31 17:15:19 +02:00
dns_resolver
dsa
net: dsa: ksz: Check return value
2022-12-14 11:32:01 +01:00
ethernet
ethtool
net/ethtool/ioctl: return -EOPNOTSUPP if we have no phy stats
2023-01-24 07:19:55 +01:00
hsr
hsr: ratelimit only when errors are printed
2023-04-05 11:23:52 +02:00
ieee802154
net: ieee802154: fix error return code in dgram_bind()
2022-11-03 23:57:51 +09:00
ife
ipv4
ipv{4,6}/raw: fix output xfrm lookup wrt protocol
2023-06-05 09:07:04 +02:00
ipv6
ipv{4,6}/raw: fix output xfrm lookup wrt protocol
2023-06-05 09:07:04 +02:00
iucv
net/iucv: Fix size of interrupt data
2023-03-22 13:30:00 +01:00
kcm
kcm: close race conditions on sk_receive_queue
2022-11-25 17:45:56 +01:00
key
af_key: Reject optional tunnel/BEET mode templates in outbound policies
2023-05-30 12:57:51 +01:00
l2tp
inet6: Remove inet6_destroy_sock() in sk->sk_prot->destroy().
2023-04-26 11:27:41 +02:00
l3mdev
l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using netdev_master_upper_dev_get_rcu
2022-04-27 13:53:50 +02:00
lapb
llc
net: deal with most data-races in sk_wait_event()
2023-05-30 12:57:46 +01:00
mac80211
wifi: mac80211: fix min center freq offset tracing
2023-05-30 12:57:53 +01:00
mac802154
mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add()
2022-12-14 11:32:01 +01:00
mpls
net: mpls: fix stale pointer if allocation fails during device rename
2023-02-22 12:55:58 +01:00
mptcp
inet6: Remove inet6_destroy_sock() in sk->sk_prot->destroy().
2023-04-26 11:27:41 +02:00
ncsi
net/ncsi: clear Tx enable mode when handling a Config required AEN
2023-05-17 11:48:10 +02:00
netfilter
netfilter: ctnetlink: Support offloaded conntrack entry deletion
2023-06-05 09:07:04 +02:00
netlabel
netlabel: fix out-of-bounds memory accesses
2022-04-13 21:01:00 +02:00
netlink
netlink: annotate accesses to nlk->cb_running
2023-05-30 12:57:46 +01:00
netrom
netrom: fix info-leak in nr_write_internal()
2023-06-09 10:30:05 +02:00
nfc
nfc: change order inside nfc_se_io error path
2023-03-17 08:45:07 +01:00
nsh
net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment()
2023-05-30 12:57:52 +01:00
openvswitch
net: openvswitch: fix possible memory leak in ovs_meter_cmd_set()
2023-02-22 12:55:57 +01:00
packet
net: add vlan_get_protocol_and_depth() helper
2023-05-30 12:57:46 +01:00
phonet
phonet: refcount leak in pep_sock_accep
2022-01-11 15:25:01 +01:00
psample
net: psample: Fix netlink skb length with tunnel info
2021-03-07 12:34:07 +01:00
qrtr
net: qrtr: Fix an uninit variable access bug in qrtr_tx_resume()
2023-04-20 12:10:26 +02:00
rds
rds: rds_rm_zerocopy_callback() correct order for list_add_tail()
2023-03-11 16:39:26 +01:00
rfkill
rose
net/rose: Fix to not accept on connected socket
2023-02-22 12:55:53 +01:00
rxrpc
rxrpc: Fix hard call timeout units
2023-05-17 11:48:11 +02:00
sched
act_mirred: use the backlog for nested calls to mirred ingress
2023-05-30 12:57:56 +01:00
sctp
sctp: Call inet6_destroy_sock() via sk->sk_destruct().
2023-04-26 11:27:42 +02:00
smc
net: deal with most data-races in sk_wait_event()
2023-05-30 12:57:46 +01:00
strparser
bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and colliding
2021-11-18 14:04:27 +01:00
sunrpc
SUNRPC: Fix trace_svc_register() call site
2023-05-30 12:57:52 +01:00
switchdev
tipc
tipc: check the bearer min mtu properly when setting it by netlink
2023-05-30 12:57:52 +01:00
tls
net: deal with most data-races in sk_wait_event()
2023-05-30 12:57:46 +01:00
unix
af_unix: Fix data races around sk->sk_shutdown.
2023-05-30 12:57:46 +01:00
vmw_vsock
vsock: avoid to close connected socket after the timeout
2023-05-30 12:57:52 +01:00
wimax
wireless
wifi: cfg80211: Partial revert "wifi: cfg80211: Fix use after free for wext"
2023-03-13 10:19:36 +01:00
x25
net/x25: Fix to not accept on connected socket
2023-02-15 17:22:15 +01:00
xdp
xsk: Fix unaligned descriptor validation
2023-05-17 11:47:50 +02:00
xfrm
Revert "Fix XFRM-I support for nested ESP tunnels"
2023-05-30 12:57:51 +01:00
compat.c
net: Return the correct errno code
2021-06-18 10:00:06 +02:00
devres.c
Kconfig
Makefile
socket.c
net: annotate sk->sk_err write from do_recvmmsg()
2023-05-30 12:57:46 +01:00
sysctl_net.c