From 799f028dca4acbd789deddaf9c5910fdcb5a8240 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 2 Sep 2022 09:48:19 +0200 Subject: [PATCH] 5.10-stable patches added patches: net-af_packet-check-len-when-min_header_len-equals-to-0.patch --- ...-len-when-min_header_len-equals-to-0.patch | 35 +++++++++++++++++++ queue-5.10/series | 1 + 2 files changed, 36 insertions(+) create mode 100644 queue-5.10/net-af_packet-check-len-when-min_header_len-equals-to-0.patch diff --git a/queue-5.10/net-af_packet-check-len-when-min_header_len-equals-to-0.patch b/queue-5.10/net-af_packet-check-len-when-min_header_len-equals-to-0.patch new file mode 100644 index 00000000000..e0f01cb3f18 --- /dev/null +++ b/queue-5.10/net-af_packet-check-len-when-min_header_len-equals-to-0.patch @@ -0,0 +1,35 @@ +From dc633700f00f726e027846a318c5ffeb8deaaeda Mon Sep 17 00:00:00 2001 +From: Zhengchao Shao +Date: Wed, 27 Jul 2022 17:33:12 +0800 +Subject: net/af_packet: check len when min_header_len equals to 0 + +From: Zhengchao Shao + +commit dc633700f00f726e027846a318c5ffeb8deaaeda upstream. + +User can use AF_PACKET socket to send packets with the length of 0. +When min_header_len equals to 0, packet_snd will call __dev_queue_xmit +to send packets, and sock->type can be any type. + +Reported-by: syzbot+5ea725c25d06fb9114c4@syzkaller.appspotmail.com +Fixes: fd1894224407 ("bpf: Don't redirect packets with invalid pkt_len") +Signed-off-by: Zhengchao Shao +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2986,8 +2986,8 @@ static int packet_snd(struct socket *soc + if (err) + goto out_free; + +- if (sock->type == SOCK_RAW && +- !dev_validate_header(dev, skb->data, len)) { ++ if ((sock->type == SOCK_RAW && ++ !dev_validate_header(dev, skb->data, len)) || !skb->len) { + err = -EINVAL; + goto out_free; + } diff --git a/queue-5.10/series b/queue-5.10/series index 5ee3fbf71cc..6870b660bed 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -33,3 +33,4 @@ xfs-always-succeed-at-setting-the-reserve-pool-size.patch xfs-fix-overfilling-of-reserve-pool.patch xfs-fix-soft-lockup-via-spinning-in-filestream-ag-selection-loop.patch xfs-revert-xfs-actually-bump-warning-counts-when-we-send-warnings.patch +net-af_packet-check-len-when-min_header_len-equals-to-0.patch -- 2.47.3