diff options
| author | Willem de Bruijn <willemb@google.com> | 2014-11-19 13:10:16 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2014-11-21 14:43:07 -0500 |
| commit | 9c7077622dd917457ced680a23b7f175769471d9 (patch) | |
| tree | 8c162e5ef188298d9fce81c7d2a6fb216f2d0a5c /net/packet | |
| parent | df6ce47091620d76bbe036d0af3dc1abad4576c1 (diff) | |
packet: make packet_snd fail on len smaller than l2 header
When sending packets out with PF_PACKET, SOCK_RAW, ensure that the
packet is at least as long as the device's expected link layer header.
This check already exists in tpacket_snd, but not in packet_snd.
Also rate limit the warning in tpacket_snd.
Signed-off-by: Willem de Bruijn <willemb@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Acked-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/packet')
| -rw-r--r-- | net/packet/af_packet.c | 29 |
1 files changed, 21 insertions, 8 deletions
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index 4cd13d8de44b..58af58026dd2 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c | |||
| @@ -2095,6 +2095,18 @@ static void tpacket_destruct_skb(struct sk_buff *skb) | |||
| 2095 | sock_wfree(skb); | 2095 | sock_wfree(skb); |
| 2096 | } | 2096 | } |
| 2097 | 2097 | ||
| 2098 | static bool ll_header_truncated(const struct net_device *dev, int len) | ||
| 2099 | { | ||
| 2100 | /* net device doesn't like empty head */ | ||
| 2101 | if (unlikely(len <= dev->hard_header_len)) { | ||
| 2102 | net_warn_ratelimited("%s: packet size is too short (%d < %d)\n", | ||
| 2103 | current->comm, len, dev->hard_header_len); | ||
| 2104 | return true; | ||
| 2105 | } | ||
| 2106 | |||
| 2107 | return false; | ||
| 2108 | } | ||
| 2109 | |||
| 2098 | static int tpacket_fill_skb(struct packet_sock *po, struct sk_buff *skb, | 2110 | static int tpacket_fill_skb(struct packet_sock *po, struct sk_buff *skb, |
| 2099 | void *frame, struct net_device *dev, int size_max, | 2111 | void *frame, struct net_device *dev, int size_max, |
| 2100 | __be16 proto, unsigned char *addr, int hlen) | 2112 | __be16 proto, unsigned char *addr, int hlen) |
| @@ -2170,12 +2182,8 @@ static int tpacket_fill_skb(struct packet_sock *po, struct sk_buff *skb, | |||
| 2170 | if (unlikely(err < 0)) | 2182 | if (unlikely(err < 0)) |
| 2171 | return -EINVAL; | 2183 | return -EINVAL; |
| 2172 | } else if (dev->hard_header_len) { | 2184 | } else if (dev->hard_header_len) { |
| 2173 | /* net device doesn't like empty head */ | 2185 | if (ll_header_truncated(dev, tp_len)) |
| 2174 | if (unlikely(tp_len <= dev->hard_header_len)) { | ||
| 2175 | pr_err("packet size is too short (%d < %d)\n", | ||
| 2176 | tp_len, dev->hard_header_len); | ||
| 2177 | return -EINVAL; | 2186 | return -EINVAL; |
| 2178 | } | ||
| 2179 | 2187 | ||
| 2180 | skb_push(skb, dev->hard_header_len); | 2188 | skb_push(skb, dev->hard_header_len); |
| 2181 | err = skb_store_bits(skb, 0, data, | 2189 | err = skb_store_bits(skb, 0, data, |
| @@ -2500,9 +2508,14 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) | |||
| 2500 | skb_set_network_header(skb, reserve); | 2508 | skb_set_network_header(skb, reserve); |
| 2501 | 2509 | ||
| 2502 | err = -EINVAL; | 2510 | err = -EINVAL; |
| 2503 | if (sock->type == SOCK_DGRAM && | 2511 | if (sock->type == SOCK_DGRAM) { |
| 2504 | (offset = dev_hard_header(skb, dev, ntohs(proto), addr, NULL, len)) < 0) | 2512 | offset = dev_hard_header(skb, dev, ntohs(proto), addr, NULL, len); |
| 2505 | goto out_free; | 2513 | if (unlikely(offset) < 0) |
| 2514 | goto out_free; | ||
| 2515 | } else { | ||
| 2516 | if (ll_header_truncated(dev, len)) | ||
| 2517 | goto out_free; | ||
| 2518 | } | ||
| 2506 | 2519 | ||
| 2507 | /* Returns -EFAULT on error */ | 2520 | /* Returns -EFAULT on error */ |
| 2508 | err = skb_copy_datagram_from_iovec(skb, offset, msg->msg_iov, 0, len); | 2521 | err = skb_copy_datagram_from_iovec(skb, offset, msg->msg_iov, 0, len); |