diff options
| author | David S. Miller <davem@davemloft.net> | 2018-04-07 22:32:32 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2018-04-07 22:32:32 -0400 |
| commit | ccb48e837cf23b101de9799ab92cc2821133a1c8 (patch) | |
| tree | d6580b8fca3506e6832347c05c878ed5edc8deb1 | |
| parent | f12c643209db0626f2f54780d86bb93bfa7a9c2d (diff) | |
| parent | 3099a52918937ab86ec47038ad80d377ba16c531 (diff) | |
Merge branch 'net-fix-uninit-values-in-networking-stack'
Eric Dumazet says:
====================
net: fix uninit-values in networking stack
It seems syzbot got new features enabled, and fired some interesting
reports. Oh well.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | crypto/af_alg.c | 8 | ||||
| -rw-r--r-- | include/net/inet_timewait_sock.h | 1 | ||||
| -rw-r--r-- | include/net/nexthop.h | 2 | ||||
| -rw-r--r-- | net/core/dev_addr_lists.c | 4 | ||||
| -rw-r--r-- | net/core/skbuff.c | 1 | ||||
| -rw-r--r-- | net/dccp/ipv4.c | 1 | ||||
| -rw-r--r-- | net/dccp/ipv6.c | 1 | ||||
| -rw-r--r-- | net/ipv4/inet_timewait_sock.c | 1 | ||||
| -rw-r--r-- | net/ipv4/route.c | 11 | ||||
| -rw-r--r-- | net/netlink/af_netlink.c | 2 |
10 files changed, 20 insertions, 12 deletions
diff --git a/crypto/af_alg.c b/crypto/af_alg.c index c49766b03165..7846c0c20cfe 100644 --- a/crypto/af_alg.c +++ b/crypto/af_alg.c | |||
| @@ -158,16 +158,16 @@ static int alg_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) | |||
| 158 | void *private; | 158 | void *private; |
| 159 | int err; | 159 | int err; |
| 160 | 160 | ||
| 161 | /* If caller uses non-allowed flag, return error. */ | ||
| 162 | if ((sa->salg_feat & ~allowed) || (sa->salg_mask & ~allowed)) | ||
| 163 | return -EINVAL; | ||
| 164 | |||
| 165 | if (sock->state == SS_CONNECTED) | 161 | if (sock->state == SS_CONNECTED) |
| 166 | return -EINVAL; | 162 | return -EINVAL; |
| 167 | 163 | ||
| 168 | if (addr_len < sizeof(*sa)) | 164 | if (addr_len < sizeof(*sa)) |
| 169 | return -EINVAL; | 165 | return -EINVAL; |
| 170 | 166 | ||
| 167 | /* If caller uses non-allowed flag, return error. */ | ||
| 168 | if ((sa->salg_feat & ~allowed) || (sa->salg_mask & ~allowed)) | ||
| 169 | return -EINVAL; | ||
| 170 | |||
| 171 | sa->salg_type[sizeof(sa->salg_type) - 1] = 0; | 171 | sa->salg_type[sizeof(sa->salg_type) - 1] = 0; |
| 172 | sa->salg_name[sizeof(sa->salg_name) + addr_len - sizeof(*sa) - 1] = 0; | 172 | sa->salg_name[sizeof(sa->salg_name) + addr_len - sizeof(*sa) - 1] = 0; |
| 173 | 173 | ||
diff --git a/include/net/inet_timewait_sock.h b/include/net/inet_timewait_sock.h index 899495589a7e..c7be1ca8e562 100644 --- a/include/net/inet_timewait_sock.h +++ b/include/net/inet_timewait_sock.h | |||
| @@ -43,6 +43,7 @@ struct inet_timewait_sock { | |||
| 43 | #define tw_family __tw_common.skc_family | 43 | #define tw_family __tw_common.skc_family |
| 44 | #define tw_state __tw_common.skc_state | 44 | #define tw_state __tw_common.skc_state |
| 45 | #define tw_reuse __tw_common.skc_reuse | 45 | #define tw_reuse __tw_common.skc_reuse |
| 46 | #define tw_reuseport __tw_common.skc_reuseport | ||
| 46 | #define tw_ipv6only __tw_common.skc_ipv6only | 47 | #define tw_ipv6only __tw_common.skc_ipv6only |
| 47 | #define tw_bound_dev_if __tw_common.skc_bound_dev_if | 48 | #define tw_bound_dev_if __tw_common.skc_bound_dev_if |
| 48 | #define tw_node __tw_common.skc_nulls_node | 49 | #define tw_node __tw_common.skc_nulls_node |
diff --git a/include/net/nexthop.h b/include/net/nexthop.h index 36bb794f5cd6..902ff382a6dc 100644 --- a/include/net/nexthop.h +++ b/include/net/nexthop.h | |||
| @@ -7,7 +7,7 @@ | |||
| 7 | 7 | ||
| 8 | static inline int rtnh_ok(const struct rtnexthop *rtnh, int remaining) | 8 | static inline int rtnh_ok(const struct rtnexthop *rtnh, int remaining) |
| 9 | { | 9 | { |
| 10 | return remaining >= sizeof(*rtnh) && | 10 | return remaining >= (int)sizeof(*rtnh) && |
| 11 | rtnh->rtnh_len >= sizeof(*rtnh) && | 11 | rtnh->rtnh_len >= sizeof(*rtnh) && |
| 12 | rtnh->rtnh_len <= remaining; | 12 | rtnh->rtnh_len <= remaining; |
| 13 | } | 13 | } |
diff --git a/net/core/dev_addr_lists.c b/net/core/dev_addr_lists.c index c0548d268e1a..e3e6a3e2ca22 100644 --- a/net/core/dev_addr_lists.c +++ b/net/core/dev_addr_lists.c | |||
| @@ -57,8 +57,8 @@ static int __hw_addr_add_ex(struct netdev_hw_addr_list *list, | |||
| 57 | return -EINVAL; | 57 | return -EINVAL; |
| 58 | 58 | ||
| 59 | list_for_each_entry(ha, &list->list, list) { | 59 | list_for_each_entry(ha, &list->list, list) { |
| 60 | if (!memcmp(ha->addr, addr, addr_len) && | 60 | if (ha->type == addr_type && |
| 61 | ha->type == addr_type) { | 61 | !memcmp(ha->addr, addr, addr_len)) { |
| 62 | if (global) { | 62 | if (global) { |
| 63 | /* check if addr is already used as global */ | 63 | /* check if addr is already used as global */ |
| 64 | if (ha->global_use) | 64 | if (ha->global_use) |
diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 1bca1e0fc8f7..345b51837ca8 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c | |||
| @@ -857,6 +857,7 @@ static struct sk_buff *__skb_clone(struct sk_buff *n, struct sk_buff *skb) | |||
| 857 | n->hdr_len = skb->nohdr ? skb_headroom(skb) : skb->hdr_len; | 857 | n->hdr_len = skb->nohdr ? skb_headroom(skb) : skb->hdr_len; |
| 858 | n->cloned = 1; | 858 | n->cloned = 1; |
| 859 | n->nohdr = 0; | 859 | n->nohdr = 0; |
| 860 | n->peeked = 0; | ||
| 860 | n->destructor = NULL; | 861 | n->destructor = NULL; |
| 861 | C(tail); | 862 | C(tail); |
| 862 | C(end); | 863 | C(end); |
diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c index e65fcb45c3f6..b08feb219b44 100644 --- a/net/dccp/ipv4.c +++ b/net/dccp/ipv4.c | |||
| @@ -614,6 +614,7 @@ int dccp_v4_conn_request(struct sock *sk, struct sk_buff *skb) | |||
| 614 | ireq = inet_rsk(req); | 614 | ireq = inet_rsk(req); |
| 615 | sk_rcv_saddr_set(req_to_sk(req), ip_hdr(skb)->daddr); | 615 | sk_rcv_saddr_set(req_to_sk(req), ip_hdr(skb)->daddr); |
| 616 | sk_daddr_set(req_to_sk(req), ip_hdr(skb)->saddr); | 616 | sk_daddr_set(req_to_sk(req), ip_hdr(skb)->saddr); |
| 617 | ireq->ir_mark = inet_request_mark(sk, skb); | ||
| 617 | ireq->ireq_family = AF_INET; | 618 | ireq->ireq_family = AF_INET; |
| 618 | ireq->ir_iif = sk->sk_bound_dev_if; | 619 | ireq->ir_iif = sk->sk_bound_dev_if; |
| 619 | 620 | ||
diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c index 5df7857fc0f3..6344f1b18a6a 100644 --- a/net/dccp/ipv6.c +++ b/net/dccp/ipv6.c | |||
| @@ -351,6 +351,7 @@ static int dccp_v6_conn_request(struct sock *sk, struct sk_buff *skb) | |||
| 351 | ireq->ir_v6_rmt_addr = ipv6_hdr(skb)->saddr; | 351 | ireq->ir_v6_rmt_addr = ipv6_hdr(skb)->saddr; |
| 352 | ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr; | 352 | ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr; |
| 353 | ireq->ireq_family = AF_INET6; | 353 | ireq->ireq_family = AF_INET6; |
| 354 | ireq->ir_mark = inet_request_mark(sk, skb); | ||
| 354 | 355 | ||
| 355 | if (ipv6_opt_accepted(sk, skb, IP6CB(skb)) || | 356 | if (ipv6_opt_accepted(sk, skb, IP6CB(skb)) || |
| 356 | np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo || | 357 | np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo || |
diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c index c3ea4906d237..88c5069b5d20 100644 --- a/net/ipv4/inet_timewait_sock.c +++ b/net/ipv4/inet_timewait_sock.c | |||
| @@ -178,6 +178,7 @@ struct inet_timewait_sock *inet_twsk_alloc(const struct sock *sk, | |||
| 178 | tw->tw_dport = inet->inet_dport; | 178 | tw->tw_dport = inet->inet_dport; |
| 179 | tw->tw_family = sk->sk_family; | 179 | tw->tw_family = sk->sk_family; |
| 180 | tw->tw_reuse = sk->sk_reuse; | 180 | tw->tw_reuse = sk->sk_reuse; |
| 181 | tw->tw_reuseport = sk->sk_reuseport; | ||
| 181 | tw->tw_hash = sk->sk_hash; | 182 | tw->tw_hash = sk->sk_hash; |
| 182 | tw->tw_ipv6only = 0; | 183 | tw->tw_ipv6only = 0; |
| 183 | tw->tw_transparent = inet->transparent; | 184 | tw->tw_transparent = inet->transparent; |
diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 8322e479f299..59bc6ab1a4eb 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c | |||
| @@ -2297,13 +2297,14 @@ struct rtable *ip_route_output_key_hash(struct net *net, struct flowi4 *fl4, | |||
| 2297 | const struct sk_buff *skb) | 2297 | const struct sk_buff *skb) |
| 2298 | { | 2298 | { |
| 2299 | __u8 tos = RT_FL_TOS(fl4); | 2299 | __u8 tos = RT_FL_TOS(fl4); |
| 2300 | struct fib_result res; | 2300 | struct fib_result res = { |
| 2301 | .type = RTN_UNSPEC, | ||
| 2302 | .fi = NULL, | ||
| 2303 | .table = NULL, | ||
| 2304 | .tclassid = 0, | ||
| 2305 | }; | ||
| 2301 | struct rtable *rth; | 2306 | struct rtable *rth; |
| 2302 | 2307 | ||
| 2303 | res.tclassid = 0; | ||
| 2304 | res.fi = NULL; | ||
| 2305 | res.table = NULL; | ||
| 2306 | |||
| 2307 | fl4->flowi4_iif = LOOPBACK_IFINDEX; | 2308 | fl4->flowi4_iif = LOOPBACK_IFINDEX; |
| 2308 | fl4->flowi4_tos = tos & IPTOS_RT_MASK; | 2309 | fl4->flowi4_tos = tos & IPTOS_RT_MASK; |
| 2309 | fl4->flowi4_scope = ((tos & RTO_ONLINK) ? | 2310 | fl4->flowi4_scope = ((tos & RTO_ONLINK) ? |
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index fa556fdef57d..55342c4d5cec 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c | |||
| @@ -1844,6 +1844,8 @@ static int netlink_sendmsg(struct socket *sock, struct msghdr *msg, size_t len) | |||
| 1844 | 1844 | ||
| 1845 | if (msg->msg_namelen) { | 1845 | if (msg->msg_namelen) { |
| 1846 | err = -EINVAL; | 1846 | err = -EINVAL; |
| 1847 | if (msg->msg_namelen < sizeof(struct sockaddr_nl)) | ||
| 1848 | goto out; | ||
| 1847 | if (addr->nl_family != AF_NETLINK) | 1849 | if (addr->nl_family != AF_NETLINK) |
| 1848 | goto out; | 1850 | goto out; |
| 1849 | dst_portid = addr->nl_pid; | 1851 | dst_portid = addr->nl_pid; |