[NET]: Fix CMSG validation checks wrt. signedness.

Noticed by Georgi Guninski. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>

[NET]: Fix CMSG validation checks wrt. signedness.
Noticed by Georgi Guninski. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
620512af · Herbert Xu · Linus Torvalds · 4c20da44 · 620512af · 620512af
Commit 620512af authored Dec 07, 2004 by Herbert Xu Committed by Linus Torvalds Dec 07, 2004
5 changed files
--- a/include/linux/socket.h
+++ b/include/linux/socket.h
@@ -90,6 +90,10 @@ struct cmsghdr {
 				  (struct cmsghdr *)(ctl) : \
 				  (struct cmsghdr *)NULL)
 #define CMSG_FIRSTHDR(msg)	__CMSG_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen)
+#define CMSG_OK(mhdr, cmsg) ((cmsg)->cmsg_len >= sizeof(struct cmsghdr) && \
+			     (cmsg)->cmsg_len <= (unsigned long) \
+			     ((mhdr)->msg_controllen - \
+			      ((char *)(cmsg) - (char *)(mhdr)->msg_control)))
 /*
 *	This mess will go away with glibc

--- a/net/core/scm.c
+++ b/net/core/scm.c
@@ -127,9 +127,7 @@ int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *p)
 		   for too short ancillary data object at all! Oops.
 		   OK, let's add it...
 		 */
-		if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
+		if (!CMSG_OK(msg, cmsg))
-		    (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
-				    + cmsg->cmsg_len) > msg->msg_controllen)
 			goto error;
 		if (cmsg->cmsg_level != SOL_SOCKET)

--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -146,11 +146,8 @@ int ip_cmsg_send(struct msghdr *msg, struct ipcm_cookie *ipc)
 	struct cmsghdr *cmsg;
 	for (cmsg = CMSG_FIRSTHDR(msg); cmsg; cmsg = CMSG_NXTHDR(msg, cmsg)) {
-		if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
+		if (!CMSG_OK(msg, cmsg))
-		    (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
-				    + cmsg->cmsg_len) > msg->msg_controllen) {
 			return -EINVAL;
-		}
 		if (cmsg->cmsg_level != SOL_IP)
 			continue;
 		switch (cmsg->cmsg_type) {

--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -427,9 +427,7 @@ int datagram_send_ctl(struct msghdr *msg, struct flowi *fl,
 		int addr_type;
 		struct net_device *dev = NULL;
-		if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
+		if (!CMSG_OK(msg, cmsg)) {
-		    (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
-				    + cmsg->cmsg_len) > msg->msg_controllen) {
 			err = -EINVAL;
 			goto exit_f;
 		}

--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -4098,12 +4098,8 @@ SCTP_STATIC int sctp_msghdr_parse(const struct msghdr *msg,
 	for (cmsg = CMSG_FIRSTHDR(msg);
 	     cmsg != NULL;
 	     cmsg = CMSG_NXTHDR((struct msghdr*)msg, cmsg)) {
-		/* Check for minimum length.  The SCM code has this check.  */
+		if (!CMSG_OK(msg, cmsg))
-		if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
-		    (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
-				    + cmsg->cmsg_len) > msg->msg_controllen) {
 			return -EINVAL;
-		}
 		/* Should we parse this header or ignore?  */
 		if (cmsg->cmsg_level != IPPROTO_SCTP)