From 6885ffb3a1b4abf731fd0891a2c1544a83c2651d Mon Sep 17 00:00:00 2001 From: Mark Smith Date: Thu, 6 Aug 2009 23:21:22 +0000 Subject: Use correct NET_RX_* returns for atalk_rcv() In all rx'd SKB cases, atalk_rcv() either eventually jumps to or falls through to the label out:, which returns numeric 0. Numeric 0 corresponds to NET_RX_SUCCESS, which is incorrect in failed SKB cases. This patch makes atalk_rcv() provide the correct returns by: o explicitly returning NET_RX_SUCCESS in the two success cases o having the out: label return NET_RX_DROP, instead of numeric 0 o making the failed SKB labels and processing more consistent with other _rcv() routines in the kernel, simplifying validation and removing a backwards goto Signed-off-by: Mark Smith Signed-off-by: David S. Miller --- net/appletalk/ddp.c | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) (limited to 'net/appletalk') diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c index 875eda5dbad..0d42d5da50a 100644 --- a/net/appletalk/ddp.c +++ b/net/appletalk/ddp.c @@ -1400,7 +1400,7 @@ static int atalk_rcv(struct sk_buff *skb, struct net_device *dev, __u16 len_hops; if (!net_eq(dev_net(dev), &init_net)) - goto freeit; + goto drop; /* Don't mangle buffer if shared */ if (!(skb = skb_share_check(skb, GFP_ATOMIC))) @@ -1408,7 +1408,7 @@ static int atalk_rcv(struct sk_buff *skb, struct net_device *dev, /* Size check and make sure header is contiguous */ if (!pskb_may_pull(skb, sizeof(*ddp))) - goto freeit; + goto drop; ddp = ddp_hdr(skb); @@ -1426,7 +1426,7 @@ static int atalk_rcv(struct sk_buff *skb, struct net_device *dev, if (skb->len < sizeof(*ddp) || skb->len < (len_hops & 1023)) { pr_debug("AppleTalk: dropping corrupted frame (deh_len=%u, " "skb->len=%u)\n", len_hops & 1023, skb->len); - goto freeit; + goto drop; } /* @@ -1436,7 +1436,7 @@ static int atalk_rcv(struct sk_buff *skb, struct net_device *dev, if (ddp->deh_sum && atalk_checksum(skb, len_hops & 1023) != ddp->deh_sum) /* Not a valid AppleTalk frame - dustbin time */ - goto freeit; + goto drop; /* Check the packet is aimed at us */ if (!ddp->deh_dnet) /* Net 0 is 'this network' */ @@ -1449,7 +1449,7 @@ static int atalk_rcv(struct sk_buff *skb, struct net_device *dev, * AppleTalk iface */ atalk_route_packet(skb, dev, ddp, len_hops, origlen); - goto out; + return NET_RX_SUCCESS; } /* if IP over DDP is not selected this code will be optimized out */ @@ -1465,18 +1465,21 @@ static int atalk_rcv(struct sk_buff *skb, struct net_device *dev, sock = atalk_search_socket(&tosat, atif); if (!sock) /* But not one of our sockets */ - goto freeit; + goto drop; /* Queue packet (standard) */ skb->sk = sock; if (sock_queue_rcv_skb(sock, skb) < 0) - goto freeit; -out: - return 0; -freeit: + goto drop; + + return NET_RX_SUCCESS; + +drop: kfree_skb(skb); - goto out; +out: + return NET_RX_DROP; + } /* -- cgit v1.2.2 From ffcfb8db540ff879c2a85bf7e404954281443414 Mon Sep 17 00:00:00 2001 From: Arnaldo Carvalho de Melo Date: Fri, 11 Sep 2009 11:35:22 -0700 Subject: Subject: [PATCH] appletalk: Fix skb leak when ipddp interface is not loaded And also do a better job of returning proper NET_{RX,XMIT}_ values. Based on a patch and suggestions by Mark Smith. This fixes CVE-2009-2903 Reported-by: Mark Smith Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: David S. Miller --- net/appletalk/aarp.c | 16 +++++++++++----- net/appletalk/ddp.c | 47 ++++++++++++++++++++++++----------------------- 2 files changed, 35 insertions(+), 28 deletions(-) (limited to 'net/appletalk') diff --git a/net/appletalk/aarp.c b/net/appletalk/aarp.c index 89f99d3beb6..9d4adfd2275 100644 --- a/net/appletalk/aarp.c +++ b/net/appletalk/aarp.c @@ -599,7 +599,7 @@ int aarp_send_ddp(struct net_device *dev, struct sk_buff *skb, /* Non ELAP we cannot do. */ if (dev->type != ARPHRD_ETHER) - return -1; + goto free_it; skb->dev = dev; skb->protocol = htons(ETH_P_ATALK); @@ -634,7 +634,7 @@ int aarp_send_ddp(struct net_device *dev, struct sk_buff *skb, if (!a) { /* Whoops slipped... good job it's an unreliable protocol 8) */ write_unlock_bh(&aarp_lock); - return -1; + goto free_it; } /* Set up the queue */ @@ -663,15 +663,21 @@ out_unlock: write_unlock_bh(&aarp_lock); /* Tell the ddp layer we have taken over for this frame. */ - return 0; + goto sent; sendit: if (skb->sk) skb->priority = skb->sk->sk_priority; - dev_queue_xmit(skb); + if (dev_queue_xmit(skb)) + goto drop; sent: - return 1; + return NET_XMIT_SUCCESS; +free_it: + kfree_skb(skb); +drop: + return NET_XMIT_DROP; } +EXPORT_SYMBOL(aarp_send_ddp); /* * An entry in the aarp unresolved queue has become resolved. Send diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c index 0d42d5da50a..4a6ff2ba4d0 100644 --- a/net/appletalk/ddp.c +++ b/net/appletalk/ddp.c @@ -1270,8 +1270,10 @@ static int handle_ip_over_ddp(struct sk_buff *skb) struct net_device_stats *stats; /* This needs to be able to handle ipddp"N" devices */ - if (!dev) - return -ENODEV; + if (!dev) { + kfree_skb(skb); + return NET_RX_DROP; + } skb->protocol = htons(ETH_P_IP); skb_pull(skb, 13); @@ -1281,8 +1283,7 @@ static int handle_ip_over_ddp(struct sk_buff *skb) stats = netdev_priv(dev); stats->rx_packets++; stats->rx_bytes += skb->len + 13; - netif_rx(skb); /* Send the SKB up to a higher place. */ - return 0; + return netif_rx(skb); /* Send the SKB up to a higher place. */ } #else /* make it easy for gcc to optimize this test out, i.e. kill the code */ @@ -1290,9 +1291,8 @@ static int handle_ip_over_ddp(struct sk_buff *skb) #define handle_ip_over_ddp(skb) 0 #endif -static void atalk_route_packet(struct sk_buff *skb, struct net_device *dev, - struct ddpehdr *ddp, __u16 len_hops, - int origlen) +static int atalk_route_packet(struct sk_buff *skb, struct net_device *dev, + struct ddpehdr *ddp, __u16 len_hops, int origlen) { struct atalk_route *rt; struct atalk_addr ta; @@ -1359,8 +1359,6 @@ static void atalk_route_packet(struct sk_buff *skb, struct net_device *dev, /* 22 bytes - 12 ether, 2 len, 3 802.2 5 snap */ struct sk_buff *nskb = skb_realloc_headroom(skb, 32); kfree_skb(skb); - if (!nskb) - goto out; skb = nskb; } else skb = skb_unshare(skb, GFP_ATOMIC); @@ -1369,12 +1367,16 @@ static void atalk_route_packet(struct sk_buff *skb, struct net_device *dev, * If the buffer didn't vanish into the lack of space bitbucket we can * send it. */ - if (skb && aarp_send_ddp(rt->dev, skb, &ta, NULL) == -1) - goto free_it; -out: - return; + if (skb == NULL) + goto drop; + + if (aarp_send_ddp(rt->dev, skb, &ta, NULL) == NET_XMIT_DROP) + return NET_RX_DROP; + return NET_XMIT_SUCCESS; free_it: kfree_skb(skb); +drop: + return NET_RX_DROP; } /** @@ -1448,8 +1450,7 @@ static int atalk_rcv(struct sk_buff *skb, struct net_device *dev, /* Not ours, so we route the packet via the correct * AppleTalk iface */ - atalk_route_packet(skb, dev, ddp, len_hops, origlen); - return NET_RX_SUCCESS; + return atalk_route_packet(skb, dev, ddp, len_hops, origlen); } /* if IP over DDP is not selected this code will be optimized out */ @@ -1655,10 +1656,10 @@ static int atalk_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr if (skb2) { loopback = 1; SOCK_DEBUG(sk, "SK %p: send out(copy).\n", sk); - if (aarp_send_ddp(dev, skb2, - &usat->sat_addr, NULL) == -1) - kfree_skb(skb2); - /* else queued/sent above in the aarp queue */ + /* + * If it fails it is queued/sent above in the aarp queue + */ + aarp_send_ddp(dev, skb2, &usat->sat_addr, NULL); } } @@ -1688,9 +1689,10 @@ static int atalk_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr usat = &gsat; } - if (aarp_send_ddp(dev, skb, &usat->sat_addr, NULL) == -1) - kfree_skb(skb); - /* else queued/sent above in the aarp queue */ + /* + * If it fails it is queued/sent above in the aarp queue + */ + aarp_send_ddp(dev, skb, &usat->sat_addr, NULL); } SOCK_DEBUG(sk, "SK %p: Done write (%Zd).\n", sk, len); @@ -1868,7 +1870,6 @@ static struct packet_type ppptalk_packet_type __read_mostly = { static unsigned char ddp_snap_id[] = { 0x08, 0x00, 0x07, 0x80, 0x9B }; /* Export symbols for use by drivers when AppleTalk is a module */ -EXPORT_SYMBOL(aarp_send_ddp); EXPORT_SYMBOL(atrtr_get_dev); EXPORT_SYMBOL(atalk_find_dev_addr); -- cgit v1.2.2 From 8be8057e72d7d319f8e97b26e16de8021fe63988 Mon Sep 17 00:00:00 2001 From: Mark Smith Date: Sat, 12 Sep 2009 20:48:43 +0000 Subject: Have atalk_route_packet() return NET_RX_SUCCESS not NET_XMIT_SUCCESS Have atalk_route_packet() return NET_RX_SUCCESS not NET_XMIT_SUCCESS atalk_route_packet() returns NET_RX_DROP if it's call to aarp_send_ddp() returns NET_XMIT_DROP. If aarp_send_ddp() returns anything else atalk_route_packet() should return NET_RX_SUCCESS, not NET_XMIT_SUCCESS. Signed-off-by: Mark Smith Signed-off-by: David S. Miller --- net/appletalk/ddp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'net/appletalk') diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c index 4a6ff2ba4d0..b1a4290996b 100644 --- a/net/appletalk/ddp.c +++ b/net/appletalk/ddp.c @@ -1372,7 +1372,7 @@ static int atalk_route_packet(struct sk_buff *skb, struct net_device *dev, if (aarp_send_ddp(rt->dev, skb, &ta, NULL) == NET_XMIT_DROP) return NET_RX_DROP; - return NET_XMIT_SUCCESS; + return NET_RX_SUCCESS; free_it: kfree_skb(skb); drop: -- cgit v1.2.2