tipc: safely copy UDP netlink data from user
authorRichard Alpe <richard.alpe@ericsson.com>
Thu, 3 Mar 2016 13:20:42 +0000 (14:20 +0100)
committerDavid S. Miller <davem@davemloft.net>
Mon, 7 Mar 2016 03:54:57 +0000 (22:54 -0500)
commitddb3712552c8807c75576fb4fbdbb16f0d48b161
treed412f143ca686dc52c2acf5380d0d45af916eb38
parent2837f39c7cdbd209ab04d1c1f4eca015a40d5cd6
tipc: safely copy UDP netlink data from user

The netlink policy for TIPC_NLA_UDP_LOCAL and TIPC_NLA_UDP_REMOTE
is of type binary with a defined length. This causes the policy
framework to threat the defined length as maximum length.

There is however no protection against a user sending a smaller
amount of data. Prior to this patch this wasn't handled which could
result in a partially incomplete sockaddr_storage struct containing
uninitialized data.

In this patch we use nla_memcpy() when copying the user data. This
ensures a potential gap at the end is cleared out properly.

This was found by Julia with Coccinelle tool.

Reported-by: Daniel Borkmann <daniel@iogearbox.net>
Reported-by: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: Richard Alpe <richard.alpe@ericsson.com>
Acked-by: Jon Maloy <jon.maloy@ericsson.com>
Reviewed-by: Erik Hugne <erik.hugne@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/tipc/udp_media.c