git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Willem de Bruijn <willemb@google.com>
	Tue, 12 Jul 2016 22:18:56 +0000 (18:18 -0400)
committer	Ben Hutchings <ben@decadent.org.uk>
	Thu, 23 Feb 2017 03:54:46 +0000 (03:54 +0000)
commit	d0fb92f2ca9b8c3ba10047b5e134cd7d1459cc1c
tree	c604ee27806ef2a3ad809d5f80658b460f7ad9b0	tree
parent	bed7167a188ec74018825232eeee67e2032275f8	commit \| diff

rose: limit sk_filter trim to payload

commit f4979fcea7fd36d8e2f556abef86f80e0d5af1ba upstream.

Sockets can have a filter program attached that drops or trims
incoming packets based on the filter program return value.

Rose requires data packets to have at least ROSE_MIN_LEN bytes. It
verifies this on arrival in rose_route_frame and unconditionally pulls
the bytes in rose_recvmsg. The filter can trim packets to below this
value in-between, causing pull to fail, leaving the partial header at
the time of skb_copy_datagram_msg.

Place a lower bound on the size to which sk_filter may trim packets
by introducing sk_filter_trim_cap and call this for rose packets.

Signed-off-by: Willem de Bruijn <willemb@google.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

include/linux/filter.h		diff \| blob \| blame \| history
net/core/filter.c		diff \| blob \| blame \| history
net/rose/rose_in.c		diff \| blob \| blame \| history