Skip to content

Commit 9c70776

Browse files
wdebruijdavem330
wdebruij
authored and
davem330
committed
packet: make packet_snd fail on len smaller than l2 header
When sending packets out with PF_PACKET, SOCK_RAW, ensure that the packet is at least as long as the device's expected link layer header. This check already exists in tpacket_snd, but not in packet_snd. Also rate limit the warning in tpacket_snd. Signed-off-by: Willem de Bruijn <[email protected]> Acked-by: Eric Dumazet <[email protected]> Acked-by: Daniel Borkmann <[email protected]> Signed-off-by: David S. Miller <[email protected]>
1 parent df6ce47 commit 9c70776

File tree

1 file changed

+21
-8
lines changed

1 file changed

+21
-8
lines changed

net/packet/af_packet.c

Lines changed: 21 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -2095,6 +2095,18 @@ static void tpacket_destruct_skb(struct sk_buff *skb)
20952095
sock_wfree(skb);
20962096
}
20972097

2098+
static bool ll_header_truncated(const struct net_device *dev, int len)
2099+
{
2100+
/* net device doesn't like empty head */
2101+
if (unlikely(len <= dev->hard_header_len)) {
2102+
net_warn_ratelimited("%s: packet size is too short (%d < %d)\n",
2103+
current->comm, len, dev->hard_header_len);
2104+
return true;
2105+
}
2106+
2107+
return false;
2108+
}
2109+
20982110
static int tpacket_fill_skb(struct packet_sock *po, struct sk_buff *skb,
20992111
void *frame, struct net_device *dev, int size_max,
21002112
__be16 proto, unsigned char *addr, int hlen)
@@ -2170,12 +2182,8 @@ static int tpacket_fill_skb(struct packet_sock *po, struct sk_buff *skb,
21702182
if (unlikely(err < 0))
21712183
return -EINVAL;
21722184
} else if (dev->hard_header_len) {
2173-
/* net device doesn't like empty head */
2174-
if (unlikely(tp_len <= dev->hard_header_len)) {
2175-
pr_err("packet size is too short (%d < %d)\n",
2176-
tp_len, dev->hard_header_len);
2185+
if (ll_header_truncated(dev, tp_len))
21772186
return -EINVAL;
2178-
}
21792187

21802188
skb_push(skb, dev->hard_header_len);
21812189
err = skb_store_bits(skb, 0, data,
@@ -2500,9 +2508,14 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
25002508
skb_set_network_header(skb, reserve);
25012509

25022510
err = -EINVAL;
2503-
if (sock->type == SOCK_DGRAM &&
2504-
(offset = dev_hard_header(skb, dev, ntohs(proto), addr, NULL, len)) < 0)
2505-
goto out_free;
2511+
if (sock->type == SOCK_DGRAM) {
2512+
offset = dev_hard_header(skb, dev, ntohs(proto), addr, NULL, len);
2513+
if (unlikely(offset) < 0)
2514+
goto out_free;
2515+
} else {
2516+
if (ll_header_truncated(dev, len))
2517+
goto out_free;
2518+
}
25062519

25072520
/* Returns -EFAULT on error */
25082521
err = skb_copy_datagram_from_iovec(skb, offset, msg->msg_iov, 0, len);

0 commit comments

Comments
 (0)