mirror/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
f55ce7b024090a51382ccab2730b96e2f7b4e9cf
linux/net
History
Mateusz Jurczyk f55ce7b024 netfilter: nfnetlink: Improve input length sanitization in nfnetlink_rcv 
Verify that the length of the socket buffer is sufficient to cover the
nlmsghdr structure before accessing the nlh->nlmsg_len field for further
input sanitization. If the client only supplies 1-3 bytes of data in
sk_buff, then nlh->nlmsg_len remains partially uninitialized and
contains leftover memory from the corresponding kernel allocation.
Operating on such data may result in indeterminate evaluation of the
nlmsg_len < NLMSG_HDRLEN expression.

The bug was discovered by a runtime instrumentation designed to detect
use of uninitialized memory in the kernel. The patch prevents this and
other similar tools (e.g. KMSAN) from flagging this behavior in the future.

Signed-off-by: Mateusz Jurczyk <mjurczyk@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2017-07-17 13:27:46 +02:00
..
6lowpan
6lowpan: Don't set IFF_NO_QUEUE
2017-04-12 22:02:40 +02:00
9p
sched/wait: Rename wait_queue_t => wait_queue_entry_t
2017-06-20 12:18:27 +02:00
802
net: introduce __skb_put_[zero, data, u8]
2017-06-20 13:30:14 -04:00
8021q
net: add netlink_ext_ack argument to rtnl_link_ops.validate
2017-06-26 23:13:22 -04:00
appletalk
networking: make skb_push & __skb_push return void pointers
2017-06-16 11:48:40 -04:00
atm
net, atm: convert eg_cache_entry.use from atomic_t to refcount_t
2017-07-04 22:35:16 +01:00
ax25
net, ax25: convert ax25_cb.refcount from atomic_t to refcount_t
2017-07-04 22:35:19 +01:00
batman-adv
networking: make skb_put & friends return void pointers
2017-06-16 11:48:39 -04:00
bluetooth
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next
2017-07-05 12:31:59 -07:00
bpf
bpf: Align packet data properly in program testing framework.
2017-05-02 11:46:28 -04:00
bridge
net: bridge: fix dest lookup when vlan proto doesn't match
2017-07-14 08:19:23 -07:00
caif
net: convert sock.sk_wmem_alloc from atomic_t to refcount_t
2017-07-01 07:39:08 -07:00
can
networking: introduce and use skb_put_data()
2017-06-16 11:48:37 -04:00
ceph
libceph: osd_state is 32 bits wide in luminous
2017-07-07 17:25:19 +02:00
core
netpoll: shut up a kernel warning on refcount
2017-07-14 08:16:59 -07:00
dcb
dcb: enforce minimum length on IEEE_APPS attribute
2017-05-21 13:42:33 -04:00
dccp
dccp: make const array error_code static
2017-07-13 09:24:02 -07:00
decnet
net, decnet: convert dn_fib_info.fib_clntref from atomic_t to refcount_t
2017-07-04 22:35:15 +01:00
dns_resolver
Merge branch 'WIP.sched-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2017-03-03 10:16:38 -08:00
dsa
net: manual clean code which call skb_put_[data:zero]
2017-06-20 13:30:15 -04:00
ethernet
networking: make skb_push & __skb_push return void pointers
2017-06-16 11:48:40 -04:00
hsr
net: add netlink_ext_ack argument to rtnl_link_ops.newlink
2017-06-26 23:13:21 -04:00
ieee802154
net: add netlink_ext_ack argument to rtnl_link_ops.validate
2017-06-26 23:13:22 -04:00
ife
net: Introduce ife encapsulation module
2017-02-03 15:16:45 -05:00
ipv4
tcp_bbr: init pacing rate on first RTT sample
2017-07-15 14:43:29 -07:00
ipv6
net: ipv6: Compare lwstate in detecting duplicate nexthops
2017-07-06 10:48:01 +01:00
ipx
net, ipx: convert ipx_route.refcnt from atomic_t to refcount_t
2017-07-04 22:35:17 +01:00
irda
Merge branch 'work.memdup_user' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2017-07-05 16:05:24 -07:00
iucv
iucv: Convert sk_wmem_alloc accesses to refcount_t.
2017-07-03 02:31:22 -07:00
kcm
net: convert sock.sk_wmem_alloc from atomic_t to refcount_t
2017-07-01 07:39:08 -07:00
key
net, xfrm: convert xfrm_policy.refcnt from atomic_t to refcount_t
2017-07-04 22:35:18 +01:00
l2tp
net, l2tp: convert l2tp_session.ref_count from atomic_t to refcount_t
2017-07-04 22:35:15 +01:00
l3mdev
lapb
net, lapb: convert lapb_cb.refcnt from atomic_t to refcount_t
2017-07-04 22:35:16 +01:00
llc
net, llc: convert llc_sap.refcnt from atomic_t to refcount_t
2017-07-04 22:35:15 +01:00
mac80211
net: manual clean code which call skb_put_[data:zero]
2017-06-20 13:30:15 -04:00
mac802154
net: Fix inconsistent teardown and release of private netdev state.
2017-06-07 15:53:24 -04:00
mpls
mpls: fix uninitialized in_label var warning in mpls_getroute
2017-07-08 11:26:41 +01:00
ncsi
networking: make skb_push & __skb_push return void pointers
2017-06-16 11:48:40 -04:00
netfilter
netfilter: nfnetlink: Improve input length sanitization in nfnetlink_rcv
2017-07-17 13:27:46 +02:00
netlabel
netlink: pass extended ACK struct to parsing functions
2017-04-13 13:58:22 -04:00
netlink
net: convert sock.sk_refcnt from atomic_t to refcount_t
2017-07-01 07:39:08 -07:00
netrom
net, netrom: convert nr_node.refcount from atomic_t to refcount_t
2017-07-04 22:35:17 +01:00
nfc
NFC: Add sockaddr length checks before accessing sa_family in bind handlers
2017-06-23 00:38:31 +02:00
openvswitch
openvswitch: Fix for force/commit action failures
2017-07-15 14:40:21 -07:00
packet
net/packet: Fix Tx queue selection for AF_PACKET
2017-07-14 08:20:28 -07:00
phonet
net: convert sock.sk_refcnt from atomic_t to refcount_t
2017-07-01 07:39:08 -07:00
psample
networking: make skb_put & friends return void pointers
2017-06-16 11:48:39 -04:00
qrtr
networking: make skb_put & friends return void pointers
2017-06-16 11:48:39 -04:00
rds
rds: tcp: use sock_create_lite() to create the accept socket
2017-07-08 11:16:16 +01:00
rfkill
net: rfkill: gpio: Switch to devm_acpi_dev_add_driver_gpios()
2017-06-13 11:07:51 +02:00
rose
net: Work around lockdep limitation in sockets that use sockets
2017-03-09 18:23:27 -08:00
rxrpc
net: convert sock.sk_refcnt from atomic_t to refcount_t
2017-07-01 07:39:08 -07:00
sched
net sched actions: rename act_get_notify() to tcf_get_notify()
2017-07-14 08:52:33 -07:00
sctp
sctp: fix an array overflow when all ext chunks are set
2017-07-14 09:05:10 -07:00
smc
net/smc: Add warning about remote memory exposure
2017-05-16 14:49:43 -04:00
strparser
strparser: destroy workqueue on module exit
2017-03-03 20:43:26 -08:00
sunrpc
net, sunrpc: convert gss_upcall_msg.count from atomic_t to refcount_t
2017-07-04 22:35:17 +01:00
switchdev
net: switchdev: Change notifier chain to be atomic
2017-06-08 14:16:24 -04:00
tipc
net: convert sock.sk_refcnt from atomic_t to refcount_t
2017-07-01 07:39:08 -07:00
tls
TLS: Fix length check in do_tls_getsockopt_tx()
2017-07-06 10:58:19 +01:00
unix
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next
2017-07-05 12:31:59 -07:00
vmw_vsock
net: manual clean code which call skb_put_[data:zero]
2017-06-20 13:30:15 -04:00
wimax
wireless
Merge tag 'mac80211-for-davem-2017-07-07' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
2017-07-07 11:35:55 +01:00
x25
net, x25: convert x25_neigh.refcnt from atomic_t to refcount_t
2017-07-04 22:35:18 +01:00
xfrm
net, xfrm: convert sec_path.refcnt from atomic_t to refcount_t
2017-07-04 22:35:18 +01:00
compat.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next
2017-02-22 10:15:09 -08:00
Kconfig
tls: kernel TLS support
2017-06-15 12:12:40 -04:00
Makefile
tls: kernel TLS support
2017-06-15 12:12:40 -04:00
socket.c
Merge branch 'work.misc-set_fs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2017-07-05 13:13:32 -07:00
sysctl_net.c
sysctl: Remove dead register_sysctl_root
2017-04-16 23:42:49 -05:00