| 1 | Added IPv6 socket checks in `calipso_sock_getattr`, `calipso_sock_setattr`, | 1 | When calling netlbl_conn_setattr(), addr->sa_family is used |
|---|---|---|---|
| 2 | and `calipso_sock_delattr` functions. | 2 | to determine the function behavior. If sk is an IPv4 socket, |
| 3 | Return `-EAFNOSUPPORT` error code if the socket is not of the IPv6 type. | 3 | but the connect function is called with an IPv6 address, |
| 4 | This fix prevents the IPv6 datagram code from | 4 | the function calipso_sock_setattr() is triggered. |
| 5 | incorrectly calling the IPv4 datagram code, | 5 | Inside this function, the following code is executed: |
| 6 | thereby avoiding a NULL pointer exception. | ||
| 7 | 6 | ||
| 7 | sk_fullsock(__sk) ? inet_sk(__sk)->pinet6 : NULL; | ||
| 8 | |||
| 9 | Since sk is an IPv4 socket, pinet6 is NULL, leading to a | ||
| 10 | null pointer dereference. | ||
| 11 | |||
| 12 | This patch fixes the issue by checking if inet6_sk(sk) | ||
| 13 | returns a NULL pointer before accessing pinet6. | ||
| 14 | |||
| 15 | Fixes: ceba1832b1b2("calipso: Set the calipso socket label to match the secattr.") | ||
| 8 | Signed-off-by: Debin Zhu <mowenroot@163.com> | 16 | Signed-off-by: Debin Zhu <mowenroot@163.com> |
| 9 | Signed-off-by: Bitao Ouyang <1985755126@qq.com> | 17 | Signed-off-by: Bitao Ouyang <1985755126@qq.com> |
| 18 | Acked-by: Paul Moore <paul@paul-moore.com> | ||
| 19 | |||
| 10 | --- | 20 | --- |
| 11 | net/ipv6/calipso.c | 27 +++++++++++++++++++++------ | 21 | net/ipv6/calipso.c | 23 +++++++++++++++++++---- |
| 12 | 1 file changed, 21 insertions(+), 6 deletions(-) | 22 | 1 file changed, 19 insertions(+), 4 deletions(-) |
| 13 | 23 | ||
| 14 | diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c | 24 | diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c |
| 15 | index XXXXXXX..XXXXXXX 100644 | 25 | index XXXXXXX..XXXXXXX 100644 |
| 16 | --- a/net/ipv6/calipso.c | 26 | --- a/net/ipv6/calipso.c |
| 17 | +++ b/net/ipv6/calipso.c | 27 | +++ b/net/ipv6/calipso.c |
| 18 | @@ -XXX,XX +XXX,XX @@ static int calipso_sock_getattr(struct sock *sk, | 28 | @@ -XXX,XX +XXX,XX @@ static int calipso_sock_getattr(struct sock *sk, |
| 19 | struct ipv6_opt_hdr *hop; | 29 | struct ipv6_opt_hdr *hop; |
| 20 | int opt_len, len, ret_val = -ENOMSG, offset; | 30 | int opt_len, len, ret_val = -ENOMSG, offset; |
| 21 | unsigned char *opt; | 31 | unsigned char *opt; |
| 22 | - struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk)); | 32 | - struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk)); |
| 23 | - | ||
| 24 | + struct ipv6_pinfo *pinfo = inet6_sk(sk); | 33 | + struct ipv6_pinfo *pinfo = inet6_sk(sk); |
| 25 | + struct ipv6_txoptions *txopts; | 34 | + struct ipv6_txoptions *txopts; |
| 26 | + /* Prevent IPv6 datagram code from calling IPv4 datagram code, causing pinet6 to be NULL */ | 35 | |
| 27 | + if (!pinfo) | 36 | + if (!pinfo) |
| 28 | + return -EAFNOSUPPORT; | 37 | + return -EAFNOSUPPORT; |
| 29 | + | 38 | + |
| 30 | + txopts = txopt_get(pinfo); | 39 | + txopts = txopt_get(pinfo); |
| 31 | if (!txopts || !txopts->hopopt) | 40 | if (!txopts || !txopts->hopopt) |
| 32 | goto done; | 41 | goto done; |
| 33 | 42 | ||
| 34 | @@ -XXX,XX +XXX,XX @@ static int calipso_sock_setattr(struct sock *sk, | 43 | @@ -XXX,XX +XXX,XX @@ static int calipso_sock_setattr(struct sock *sk, |
| 35 | { | 44 | { |
| 36 | int ret_val; | 45 | int ret_val; |
| 37 | struct ipv6_opt_hdr *old, *new; | 46 | struct ipv6_opt_hdr *old, *new; |
| 38 | - struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk)); | 47 | - struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk)); |
| 39 | - | 48 | - |
| 40 | + struct ipv6_pinfo *pinfo = inet6_sk(sk); | 49 | + struct ipv6_pinfo *pinfo = inet6_sk(sk); |
| 41 | + struct ipv6_txoptions *txopts; | 50 | + struct ipv6_txoptions *txopts; |
| 42 | + /* Prevent IPv6 datagram code from calling IPv4 datagram code, causing pinet6 to be NULL */ | 51 | + |
| 43 | + if (!pinfo) | 52 | + if (!pinfo) |
| 44 | + return -EAFNOSUPPORT; | 53 | + return -EAFNOSUPPORT; |
| 45 | + | 54 | + |
| 46 | + txopts = txopt_get(pinfo); | 55 | + txopts = txopt_get(pinfo); |
| 47 | old = NULL; | 56 | old = NULL; |
| ... | ... | ||
| 50 | @@ -XXX,XX +XXX,XX @@ static int calipso_sock_setattr(struct sock *sk, | 59 | @@ -XXX,XX +XXX,XX @@ static int calipso_sock_setattr(struct sock *sk, |
| 51 | static void calipso_sock_delattr(struct sock *sk) | 60 | static void calipso_sock_delattr(struct sock *sk) |
| 52 | { | 61 | { |
| 53 | struct ipv6_opt_hdr *new_hop; | 62 | struct ipv6_opt_hdr *new_hop; |
| 54 | - struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk)); | 63 | - struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk)); |
| 55 | - | ||
| 56 | + struct ipv6_pinfo *pinfo = inet6_sk(sk); | 64 | + struct ipv6_pinfo *pinfo = inet6_sk(sk); |
| 57 | + struct ipv6_txoptions *txopts; | 65 | + struct ipv6_txoptions *txopts; |
| 58 | + /* Prevent IPv6 datagram code from calling IPv4 datagram code, causing pinet6 to be NULL */ | 66 | |
| 59 | + if (!pinfo) | 67 | + if (!pinfo) |
| 60 | + return -EAFNOSUPPORT; | 68 | + return; |
| 61 | + | 69 | + |
| 62 | + txopts = txopt_get(pinfo); | 70 | + txopts = txopt_get(pinfo); |
| 63 | if (!txopts || !txopts->hopopt) | 71 | if (!txopts || !txopts->hopopt) |
| 64 | goto done; | 72 | goto done; |
| 65 | 73 | ||
| 66 | -- | 74 | -- |
| 67 | 2.34.1 | 75 | 2.34.1 | diff view generated by jsdifflib |