Linux kernel source tree https://git.amat.us/linux/atom/net/caif/caif_socket.c?h=v3.4.88 2013-12-08T15:29:41Z 2013-12-08T15:29:41Z Hannes Frederic Sowa hannes@stressinduktion.org 2013-11-21T02:14:22Z urn:sha1:18719a4c7a90af3de4bb071511dd4a6dcf61a2e0 [ Upstream commit f3d3342602f8bcbf37d7c46641cb9bca7618eb1c ] This patch now always passes msg->msg_namelen as 0. recvmsg handlers must set msg_namelen to the proper size <= sizeof(struct sockaddr_storage) to return msg_name to the user. This prevents numerous uninitialized memory leaks we had in the recvmsg handlers and makes it harder for new code to accidentally leak uninitialized memory. Optimize for the case recvfrom is called with NULL as address. We don't need to copy the address at all, so set it to NULL before invoking the recvmsg handler. We can do so, because all the recvmsg handlers must cope with the case a plain read() is called on them. read() also sets msg_name to NULL. Also document these changes in include/linux/net.h as suggested by David Miller. Changes since RFC: Set msg->msg_name = NULL if user specified a NULL in msg_name but had a non-null msg_namelen in verify_iovec/verify_compat_iovec. This doesn't affect sendto as it would bail out earlier while trying to copy-in the address. It also more naturally reflects the logic by the callers of verify_iovec. With this change in place I could remove " if (!uaddr || msg_sys->msg_namelen == 0) msg->msg_name = NULL ". This change does not alter the user visible error logic as we ignore msg_namelen as long as msg_name is NULL. Also remove two unnecessary curly brackets in ___sys_recvmsg and change comments to netdev style. Cc: David Miller <davem@davemloft.net> Suggested-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-05-01T16:41:04Z Mathias Krause minipli@googlemail.com 2013-04-07T01:51:52Z urn:sha1:3300687d7ebb7a8abd9945843629b09194d97430 [ Upstream commit 2d6fbfe733f35c6b355c216644e08e149c61b271 ] The current code does not fill the msg_name member in case it is set. It also does not set the msg_namelen member to 0 and therefore makes net/socket.c leak the local, uninitialized sockaddr_storage variable to userland -- 128 bytes of kernel stack memory. Fix that by simply setting msg_namelen to 0 as obviously nobody cared about caif_seqpkt_recvmsg() not filling the msg_name in case it was set. Signed-off-by: Mathias Krause <minipli@googlemail.com> Cc: Sjur Braendeland <sjur.brandeland@stericsson.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2012-02-04T21:39:32Z David S. Miller davem@davemloft.net 2012-02-04T21:39:32Z urn:sha1:dd48dc34fe7639a8b2e22d8b609672f5f81aa7cb 2012-02-04T21:06:27Z sjur.brandeland@stericsson.com sjur.brandeland@stericsson.com 2012-02-03T04:36:19Z urn:sha1:4a695823b580124c3ab750d8d528f7c6522628c3 Kill off the debug-fs exposed varaibles from caif_socket. Signed-off-by: Sjur Brændeland <sjur.brandeland@stericsson.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2012-02-02T19:35:12Z Dmitry Tarnyagin dmitry.tarnyagin@stericsson.com 2012-02-02T01:21:03Z urn:sha1:ba7605745d5c99f0e71b3ec6c7cb5ed6afe540ad SKB is freed twice upon send error. The Network stack consumes SKB even when it returns error code. Signed-off-by: Sjur Brændeland <sjur.brandeland@stericsson.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2011-05-23T00:11:47Z sjur.brandeland@stericsson.com sjur.brandeland@stericsson.com 2011-05-22T11:18:51Z urn:sha1:54e90fb5ca8050156d3e748ddc690ed6ea9d71ac CAIF Socket layer - caif_socket.c: - Plug mem-leak at reconnect. - Always call disconnect to cleanup CAIF stack. - Disconnect will always report success. CAIF configuration layer - cfcnfg.c - Disconnect must dismantle the caif stack correctly - Protect against faulty removals (check on id zero) CAIF mux layer - cfmuxl.c - When inserting new service layer in the MUX remove any old entries with the same ID. - When removing CAIF Link layer, remove the associated service layers before notifying service layers. Signed-off-by: Sjur Brændeland <sjur.brandeland@stericsson.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2011-05-15T21:45:56Z sjur.brandeland@stericsson.com sjur.brandeland@stericsson.com 2011-05-13T02:44:08Z urn:sha1:3f874adc4ae80828b79e8aac6891c108c1f6be6d Signed-off-by: Sjur Brændeland <sjur.brandeland@stericsson.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2011-05-15T21:45:56Z sjur.brandeland@stericsson.com sjur.brandeland@stericsson.com 2011-05-13T02:44:07Z urn:sha1:33b2f5598b4ee68021364a7b795c09ad66bc0aa8 Race condition caused debugfs_create_dir() to fail due to duplicate name. Use atomic counter to create unique directory name. net_ratelimit() is introduced to limit debug printouts. Signed-off-by: Sjur Brændeland <sjur.brandeland@stericsson.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2011-05-15T21:45:56Z sjur.brandeland@stericsson.com sjur.brandeland@stericsson.com 2011-05-13T02:44:06Z urn:sha1:c85c2951d4da1236e32f1858db418221e624aba5 Do proper handling of dev_queue_xmit errors in order to avoid double free of skb and leaks in error conditions. In cfctrl pending requests are removed when CAIF Link layer goes down. Signed-off-by: Sjur Brændeland <sjur.brandeland@stericsson.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2011-05-15T21:45:55Z sjur.brandeland@stericsson.com sjur.brandeland@stericsson.com 2011-05-13T02:44:05Z urn:sha1:bee925db9a77a5736596dcf6f91d0879f5ee915b Use struct net to reference CAIF configuration object instead of static variables. Refactor functions caif_connect_client, caif_disconnect_client and squach files cfcnfg.c and caif_config_utils. Signed-off-by: Sjur Brændeland <sjur.brandeland@stericsson.com> Signed-off-by: David S. Miller <davem@davemloft.net>