tipc: Fix skb_under_panic when configuring TIPC without privileges

This patch prevents a TIPC configuration command requiring network administrator privileges from triggering an skbuff underrun if it is issued by a process lacking those privileges. The revised error handling code avoids the use of a potentially uninitialized global variable by transforming the unauthorized command into a new command, then following the standard command processing path to generate the required error message. Signed-off-by: Allan Stephens <allan.stephens@windriver.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Allan Stephens <allan.stephens@windriver.com> 2008-05-21 17:52:30 -0400
committer: David S. Miller <davem@davemloft.net> 2008-05-21 17:52:30 -0400
commit: 59f0c4523fdea865fab7d69d878269992a9d08dd (patch)
tree: 4516d63a1c32fb8e06d0730527f3c54c02df2f87
parent: dc58c78c047fb01f4c13e7de91abc5eb931920b3 (diff)
3 files changed, 23 insertions, 9 deletions
diff --git a/include/linux/tipc_config.h b/include/linux/tipc_config.h
index b0c916d1f375..2bc6fa4adeb5 100644
--- a/include/linux/tipc_config.h
+++ b/include/linux/tipc_config.h
@@ -2,7 +2,7 @@
 * include/linux/tipc_config.h: Include file for TIPC configuration interface
 * 
 * Copyright (c) 2003-2006, Ericsson AB
- * Copyright (c) 2005, Wind River Systems
+ * Copyright (c) 2005-2007, Wind River Systems
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@@ -136,6 +136,14 @@
 #define  TIPC_CMD_SET_NETID         0x800B    /* tx unsigned, rx none */
 /*
+ * Reserved commands:
+ * May not be issued by any process.
+ * Used internally by TIPC.
+ */
+#define  TIPC_CMD_NOT_NET_ADMIN     0xC001    /* tx none, rx none */
+/*
 * TLV types defined for TIPC
 */
diff --git a/net/tipc/config.c b/net/tipc/config.c
index 91d56f8fee9f..16e7cb74969b 100644
--- a/net/tipc/config.c
+++ b/net/tipc/config.c
@@ -2,7 +2,7 @@
 * net/tipc/config.c: TIPC configuration management code
 *
 * Copyright (c) 2002-2006, Ericsson AB
- * Copyright (c) 2004-2006, Wind River Systems
+ * Copyright (c) 2004-2007, Wind River Systems
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@@ -602,6 +602,10 @@ struct sk_buff *tipc_cfg_do_cmd(u32 orig_node, u16 cmd, const void *request_area
        case TIPC_CMD_GET_NETID:
                rep_tlv_buf = tipc_cfg_reply_unsigned(tipc_net_id);
                break;
+        case TIPC_CMD_NOT_NET_ADMIN:
+                rep_tlv_buf =
+                        tipc_cfg_reply_error_string(TIPC_CFG_NOT_NET_ADMIN);
+                break;
        default:
                rep_tlv_buf = tipc_cfg_reply_error_string(TIPC_CFG_NOT_SUPPORTED
                                                          " (unknown command)");
diff --git a/net/tipc/netlink.c b/net/tipc/netlink.c
index 6a7f7b4c2595..c387217bb230 100644
--- a/net/tipc/netlink.c
+++ b/net/tipc/netlink.c
@@ -2,7 +2,7 @@
 * net/tipc/netlink.c: TIPC configuration handling
 *
 * Copyright (c) 2005-2006, Ericsson AB
- * Copyright (c) 2005, Wind River Systems
+ * Copyright (c) 2005-2007, Wind River Systems
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@@ -45,15 +45,17 @@ static int handle_cmd(struct sk_buff *skb, struct genl_info *info)
        struct nlmsghdr *req_nlh = info->nlhdr;
        struct tipc_genlmsghdr *req_userhdr = info->userhdr;
        int hdr_space = NLMSG_SPACE(GENL_HDRLEN + TIPC_GENL_HDRLEN);
+        u16 cmd;
        if ((req_userhdr->cmd & 0xC000) && (!capable(CAP_NET_ADMIN)))
-                rep_buf = tipc_cfg_reply_error_string(TIPC_CFG_NOT_NET_ADMIN);
+                cmd = TIPC_CMD_NOT_NET_ADMIN;
        else
-                rep_buf = tipc_cfg_do_cmd(req_userhdr->dest,
+                cmd = req_userhdr->cmd;
-                                          req_userhdr->cmd,
-                                          NLMSG_DATA(req_nlh) + GENL_HDRLEN + TIPC_GENL_HDRLEN,
+        rep_buf = tipc_cfg_do_cmd(req_userhdr->dest, cmd,
-                                          NLMSG_PAYLOAD(req_nlh, GENL_HDRLEN + TIPC_GENL_HDRLEN),
+                        NLMSG_DATA(req_nlh) + GENL_HDRLEN + TIPC_GENL_HDRLEN,
-                                          hdr_space);
+                        NLMSG_PAYLOAD(req_nlh, GENL_HDRLEN + TIPC_GENL_HDRLEN),
+                        hdr_space);
        if (rep_buf) {
                skb_push(rep_buf, hdr_space);
author	Allan Stephens <allan.stephens@windriver.com>	2008-05-21 17:52:30 -0400
committer	David S. Miller <davem@davemloft.net>	2008-05-21 17:52:30 -0400
commit	59f0c4523fdea865fab7d69d878269992a9d08dd (patch)
tree	4516d63a1c32fb8e06d0730527f3c54c02df2f87
parent	dc58c78c047fb01f4c13e7de91abc5eb931920b3 (diff)

diff --git a/include/linux/tipc_config.h b/include/linux/tipc_config.h index b0c916d1f375..2bc6fa4adeb5 100644 --- a/include/linux/tipc_config.h +++ b/include/linux/tipc_config.h
@@ -2,7 +2,7 @@
2	* include/linux/tipc_config.h: Include file for TIPC configuration interface	2	* include/linux/tipc_config.h: Include file for TIPC configuration interface
3	*	3	*
4	* Copyright (c) 2003-2006, Ericsson AB	4	* Copyright (c) 2003-2006, Ericsson AB
5	* Copyright (c) 2005, Wind River Systems	5	* Copyright (c) 2005-2007, Wind River Systems
6	* All rights reserved.	6	* All rights reserved.
7	*	7	*
8	* Redistribution and use in source and binary forms, with or without	8	* Redistribution and use in source and binary forms, with or without
@@ -136,6 +136,14 @@
136	#define TIPC_CMD_SET_NETID 0x800B /* tx unsigned, rx none */	136	#define TIPC_CMD_SET_NETID 0x800B /* tx unsigned, rx none */
137		137
138	/*	138	/*
		139	* Reserved commands:
		140	* May not be issued by any process.
		141	* Used internally by TIPC.
		142	*/
		143
		144	#define TIPC_CMD_NOT_NET_ADMIN 0xC001 /* tx none, rx none */
		145
		146	/*
139	* TLV types defined for TIPC	147	* TLV types defined for TIPC
140	*/	148	*/
141		149


diff --git a/net/tipc/config.c b/net/tipc/config.c index 91d56f8fee9f..16e7cb74969b 100644 --- a/net/tipc/config.c +++ b/net/tipc/config.c
@@ -2,7 +2,7 @@
2	* net/tipc/config.c: TIPC configuration management code	2	* net/tipc/config.c: TIPC configuration management code
3	*	3	*
4	* Copyright (c) 2002-2006, Ericsson AB	4	* Copyright (c) 2002-2006, Ericsson AB
5	* Copyright (c) 2004-2006, Wind River Systems	5	* Copyright (c) 2004-2007, Wind River Systems
6	* All rights reserved.	6	* All rights reserved.
7	*	7	*
8	* Redistribution and use in source and binary forms, with or without	8	* Redistribution and use in source and binary forms, with or without
@@ -602,6 +602,10 @@ struct sk_buff tipc_cfg_do_cmd(u32 orig_node, u16 cmd, const void request_area
602	case TIPC_CMD_GET_NETID:	602	case TIPC_CMD_GET_NETID:
603	rep_tlv_buf = tipc_cfg_reply_unsigned(tipc_net_id);	603	rep_tlv_buf = tipc_cfg_reply_unsigned(tipc_net_id);
604	break;	604	break;
		605	case TIPC_CMD_NOT_NET_ADMIN:
		606	rep_tlv_buf =
		607	tipc_cfg_reply_error_string(TIPC_CFG_NOT_NET_ADMIN);
		608	break;
605	default:	609	default:
606	rep_tlv_buf = tipc_cfg_reply_error_string(TIPC_CFG_NOT_SUPPORTED	610	rep_tlv_buf = tipc_cfg_reply_error_string(TIPC_CFG_NOT_SUPPORTED
607	" (unknown command)");	611	" (unknown command)");


diff --git a/net/tipc/netlink.c b/net/tipc/netlink.c index 6a7f7b4c2595..c387217bb230 100644 --- a/net/tipc/netlink.c +++ b/net/tipc/netlink.c
@@ -2,7 +2,7 @@
2	* net/tipc/netlink.c: TIPC configuration handling	2	* net/tipc/netlink.c: TIPC configuration handling
3	*	3	*
4	* Copyright (c) 2005-2006, Ericsson AB	4	* Copyright (c) 2005-2006, Ericsson AB
5	* Copyright (c) 2005, Wind River Systems	5	* Copyright (c) 2005-2007, Wind River Systems
6	* All rights reserved.	6	* All rights reserved.
7	*	7	*
8	* Redistribution and use in source and binary forms, with or without	8	* Redistribution and use in source and binary forms, with or without
@@ -45,15 +45,17 @@ static int handle_cmd(struct sk_buff skb, struct genl_info info)
45	struct nlmsghdr *req_nlh = info->nlhdr;	45	struct nlmsghdr *req_nlh = info->nlhdr;
46	struct tipc_genlmsghdr *req_userhdr = info->userhdr;	46	struct tipc_genlmsghdr *req_userhdr = info->userhdr;
47	int hdr_space = NLMSG_SPACE(GENL_HDRLEN + TIPC_GENL_HDRLEN);	47	int hdr_space = NLMSG_SPACE(GENL_HDRLEN + TIPC_GENL_HDRLEN);
		48	u16 cmd;
48		49
49	if ((req_userhdr->cmd & 0xC000) && (!capable(CAP_NET_ADMIN)))	50	if ((req_userhdr->cmd & 0xC000) && (!capable(CAP_NET_ADMIN)))
50	rep_buf = tipc_cfg_reply_error_string(TIPC_CFG_NOT_NET_ADMIN);	51	cmd = TIPC_CMD_NOT_NET_ADMIN;
51	else	52	else
52	rep_buf = tipc_cfg_do_cmd(req_userhdr->dest,	53	cmd = req_userhdr->cmd;
53	req_userhdr->cmd,	54
54	NLMSG_DATA(req_nlh) + GENL_HDRLEN + TIPC_GENL_HDRLEN,	55	rep_buf = tipc_cfg_do_cmd(req_userhdr->dest, cmd,
55	NLMSG_PAYLOAD(req_nlh, GENL_HDRLEN + TIPC_GENL_HDRLEN),	56	NLMSG_DATA(req_nlh) + GENL_HDRLEN + TIPC_GENL_HDRLEN,
56	hdr_space);	57	NLMSG_PAYLOAD(req_nlh, GENL_HDRLEN + TIPC_GENL_HDRLEN),
		58	hdr_space);
57		59
58	if (rep_buf) {	60	if (rep_buf) {
59	skb_push(rep_buf, hdr_space);	61	skb_push(rep_buf, hdr_space);